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Preface 


The most profound connection between logic and computation is 
a pun. The doctrine of Propositions as Types asserts that a certain 
kind of formal structure may be read in two ways: either as a 
proposition in logic or as a type in computing. Further, a related 
structure may be read as either the proof of the proposition or as 
a programme of the corresponding type. Further still, simplifica- 
tion of proofs corresponds to evaluation of programs. 


Accordingly, the title of this book also has two readings. It may 
be parsed as “(Programming Language) Foundations in Agda” or 
“Programming (Language Foundations) in Agda” — the specifica- 
tions we will write in the proof assistant Agda both describe pro- 
gramming languages and are themselves programmes. 


The book is aimed at students in the last year of an undergradu- 
ate honours programme or the first year of a master or doctorate 
degree. It aims to teach the fundamentals of operational seman- 
tics of programming languages, with simply-typed lambda calcu- 
lus as the central example. The textbook is written as a literate 
script in Agda. The hope is that using a proof assistant will make 
the development more concrete and accessible to students, and 
give them rapid feedback to find and correct misapprehensions. 


The book is broken into two parts. The first part, Logical Founda- 
tions, develops the needed formalisms. The second part, Pro- 
gramming Language Foundations, introduces basic methods of 
operational semantics. 


Personal remarks 


Since 2013, I have taught a course on Types and Semantics for 
Programming Languages to fourth-year undergraduates and mas- 
ters students at the University of Edinburgh. An earlier version of 
that course was based on Benjamin Pierce’s excellent TAPL. My 


version was based of Pierce’s subsequent textbook, Software 
Foundations, written in collaboration with others and based on 
Coq. I am convinced of Pierce’s claim that basing a course 
around a proof assistant aids learning, as summarised in his ICFP 
Keynote, Lambda, The Ultimate TA. 


However, after five years of experience, I have come to the con- 
clusion that Coq is not the best vehicle. Too much of the course 
needs to focus on learning tactics for proof derivation, to the cost 
of learning the fundamentals of programming language theory. 
Every concept has to be learned twice: e.g., both the product 
data type, and the corresponding tactics for introduction and 
elimination of conjunctions. The rules Coq applies to generate in- 
duction hypotheses can sometimes seem mysterious. While the 
notation construct permits pleasingly flexible syntax, it can be 
confusing that the same concept must always be given two 
names, e.g., both subst N x Mand N [x := M]. Names of 
tactics are sometimes short and sometimes long; naming conven- 
tions in the standard library can be wildly inconsistent. Proposi- 
tions as types as a foundation of proof is present but hidden. 


I found myself keen to recast the course in Agda. In Agda, there 
is no longer any need to learn about tactics: there is just depen- 
dently-typed programming, plain and simple. Introduction is al- 
ways by a constructor, elimination is always by pattern match- 
ing. Induction is no longer a mysterious separate concept, but 
corresponds to the familiar notion of recursion. Mixfix syntax is 
flexible while using just one name for each concept, e.g., substi- 
tution is _[_:=_]. The standard library is not perfect, but there 
is a fair attempt at consistency. Propositions as types as a founda- 
tion of proof is on proud display. 


Alas, there is no textbook for programming language theory in 
Agda. Stump’s Verified Functional Programming in Agda covers 
related ground, but focusses more on programming with depen- 
dent types than on the theory of programming languages. 


The original goal was to simply adapt Software Foundations, 
maintaining the same text but transposing the code from Coq to 
Agda. But it quickly became clear to me that after five years in 
the classroom I had my own ideas about how to present the ma- 


terial. They say you should never write a book unless you cannot 
not write the book, and I soon found that this was a book I could 
not not write. 


I am fortunate that my student, Wen Kokke, was keen to help. 
She guided me as a newbie to Agda and provided an infrastruc- 
ture that is easy to use and produces pages that are a pleasure to 
view. 


Most of the text was written during a sabbatical in the first half 
of 2018. 


— Philip Wadler, Rio de Janeiro, January-June 2018 
A word on the exercises 


Exercises labelled “(recommended)” are the ones students are re- 
quired to do in the class taught at Edinburgh from this textbook. 


Exercises labelled “(stretch)” are there to provide an extra chal- 
lenge. Few students do all of these, but most attempt at least a 
few. 


Exercises labelled “(practice)” are included for those who want 
extra practice. 


You may answer the exercises by downloading the book from 
github and editing where it says “—- Your code goes here”. Alter- 
natively, you may be given a file to edit containing exercises for 
a given coursework. 


In either case, you may need to import additional library func- 
tions required for the solution. You may also need to set up PLFA 
as an Agda library, as described in Getting Started. 


Please do not post answers to the exercises in a public place. 


There is a private repository of answers to selected questions on 
github. Please contact Philip Wadler if you would like to access 
it. 


Getting Started 


C) Build & Test passing pre-commit.ci passed 


v22.0 agda-stdlib v1.7. 


release 


Getting Started for Readers 


You can read PLFA online without installing anything. However, 
if you wish to interact with the code or complete the exercises, 
you need several things: 


* On macOS: The XCode Command Line Tools 
* Git 

* GHC and Cabal 

+ Agda 

* Agda standard library 

¢ PLFA 


PLFA is tested against specific versions of Agda and the standard 
library, which are shown in the badges above. Agda and the stan- 
dard library change rapidly, and these changes often break PLFA, 
so using older or newer versions usually causes problems. 


There are several versions of Agda and its standard library on- 
line. If you are using a package manager, like Homebrew or De- 
bian apt, the version of Agda available there may be out of date. 
Furthermore, Agda is under active development, so if you install 
the development version from the GitHub, you might find the de- 
velopers have introduced changes which break the code here. 
Therefore, it’s important to have the specific versions of Agda 
and the standard library shown above. 


On macOS: Install the XCode Command Line Tools 


On macOS, you’ll need to install The XCode Command Line 


Tools. For most versions of macOS, you can install these by run- 
ning the following command: 


xcode-select --install 
Install Git 


You can check whether you have Git by running the following 
command: 


git --version 
If you do not have Git, see the Git downloads page. 


Install GHC and Cabal 


Agda is written in Haskell, so to install it we’ll need the Glorious 
Haskell Compiler and its package manager Cabal. PLFA should 
work with any version of GHC > =8.10, but is tested with ver- 
sions 8.10 and 9.2. We recommend installing GHC and Cabal us- 
ing ghcup. For instance, once ghcup is installed, by typing 


ghcup install ghc 9.2.4 

ghcup install cabal recommended 
ghcup set ghc 9.2.4 

ghcup set cabal recommended 


or using ghcup tui and choosing to set the appropriate 
tools. 


Install Agda 


The easiest way to install Agda is using Cabal. PLFA uses Agda 
version 2.6.3. Run the following command: 


cabal update 
cabal install Agda-2.6.3 


This step will take a long time and a lot of memory to complete. 


If you have problems or for alternatives see the Agda installation 
instructions. 


If you’d like, you can test to see if you’ve installed Agda cor- 
rectly. 


Install PLFA and the Agda standard library 


We recommend installing PLFA from Github into your home di- 
rectory, by running the following command: 


git clone --depth 1 --recurse-submodules -—-shallow-subn 


PLFA ships with the required version of the Agda standard li- 
brary, so if you cloned with the --recurse-submodules flag, 
you’ve already got it, in the standard-library directory! 


Finally, we need to let Agda know where to find the Agda stan- 
dard library and PLFA. Two configuration files are required, one 
which lists paths to the libraries and one which specifies which 
libraries to load by default. 


On macOS and Unix, if PLFA is installed in your home directory 
and you have no existing library configuration files you wish to 
preserve, run the following commands: 


mkdir -p ~/.agda 
cp ~/plfa/data/dotagda/* ~/.agda 


This provides access to both the Agda standard library and to 
PLFA as an Agda library. 


Otherwise, you will need to edit the appropriate files. Both con- 
figuration files are located in the directory AGDA_DIR. On UNIX 
and macOS, AGDA_DIR defaults to ~/.agda. On Windows, 


AGDA_DIR usually defaults to %AppData%\agda, where 
SAppData% usually defaults to C: \Users \USERNAME 
\AppData\Roaming. 


If the AGDA_DIR directory does not already exist, create 
it. 

In AGDA_DIR, create a plain-text file called libraries 
containing AGDA_STDLIB/standard-library.agda- 
lib, where AGDA_STDLIB is the path to where the Agda 
standard library is located (e.g., ~/plfa/standard- 
library/). This lets Agda know that an Agda library 
called standard-library is available. 

In AGDA_DIR, create a plain-text file called defaults 
containing just the line standard-library. 

If you want to import modules from the book, you will also 
need to provide access to PLFA as an Agda library. To do 
so, let PLFA be the path to the root directory for PLFA. 
Add PLFA/src/plfa.agda-lib to AGDA_DIR/ 
libraries and add plfa to AGDA_DIR/defaults, 
each on a line of their own. 


More information about placing the standard libraries is avail- 
able from the Library Management page of the Agda documenta- 


tion. 


Setting up an editor for Agda 


Emacs 


The recommended editor for Agda is Emacs. To install Emacs: 


On UNIX, the version of Emacs in your repository is proba- 
bly fine as long as it is fairly recent. There are also links to 
the most recent release on the GNU Emacs downloads 


page. 


On MacOS, Aquamacs is probably the preferred version of 
Emacs, but GNU Emacs can also be installed via Home- 
brew or MacPorts. See the GNU Emacs downloads page for 
instructions. 


* On Windows. See the GNU Emacs downloads page for in- 
structions. 


Make sure that you are able to open, edit, and save text files with 
your installation. The tour of Emacs page on the GNU Emacs site 
describes how to access the tutorial within your Emacs installa- 
tion. 


Agda ships with the editor support for Emacs built-in, so if 
you’ve installed Agda, all you have to do to configure Emacs is 
run: 


agda-mode setup 
agda-mode compile 


If you are already an Emacs user and have customized your 
setup, you may want to note the configuration which the setup 
appends to your .emacs file, and integrate it with your own 
preferred setup. 


Check if agda-mode was installed correctly 


Open the nats.agda file you created earlier, and load and 
type-check the file by typing C-c c-1. 


Auto-loading agda-mode in Emacs 


Since version 2.6.0, Agda has had support for literate editing 
with Markdown, using the .lagda.md extension. One issue is 
that Emacs will default to Markdown editing mode for files with 
a .md suffix. In order to have agda—mode automatically loaded 
whenever you open a file ending with .agda or .lagda.md, 
add the following line to your Emacs configuration file: 


7; auto-load agda-mode for .agda and .lagda.md 
(setq auto-mode-alist 
(append 
"(("\\.agda\\'" . agda2-mode) 
("\\.lagda.md\\'" . agda2-mode) ) 


auto-mode-alist) ) 


If you already have settings which change your auto-—mode- 
alist in your configuration, put these after the ones you already 
have or combine them if you are comfortable with Emacs Lisp. 
The configuration file for Emacs is normally located in 
HOME/.emacs or HOME/.emacs.d/init.el, but Aquamacs 
users might need to move their startup settings to the “Prefer- 
ences.el” file in HOME/Library/Preferences/Aquamacs 
Emacs/Preferences. For Windows, see the GNU Emacs docu- 
mentation for a description of where the Emacs configuration is 
located. 


Optional: using the mononoki font with Emacs 


Agda uses Unicode characters for many key symbols, and it is im- 
portant that the font which you use to view and edit Agda pro- 
grams shows these symbols correctly. The most important part is 
that the font you use has good Unicode support, so while we rec- 
ommend mononoki, fonts such as Source Code Pro, DejaVu Sans 
Mono, and FreeMono are all good alternatives. 


You can download and install mononoki directly from the web- 
site. For most systems, installing a font is merely a matter of 
clicking the downloaded .otf or .ttf file. If your package 
manager offers a package for mononoki, that might be easier. For 
instance, Homebrew on macOS offers the font-mononoki 
package, and APT on Debian offers the fonts—mononoki pack- 
age. To configure Emacs to use mononoki as its default font, add 
the following to the end of your Emacs configuration file: 


7; Gefault to mononoki 

(set-face-attribute 'default nil 
:family "mononoki" 
sheight 120 
:weight ‘normal 
width ‘'normal) 


Using agda-mode in Emacs 


To load and type-check the file, use C-c C-1l. 


Agda is edited interactively, using “holes”, which are bits of the 
program that are not yet filled in. If you use a question mark as 
an expression, and load the buffer using C-c cC-1, Agda re- 
places the question mark with a hole. There are several things 
you can to while the cursor is in a hole: 


C-c: case split (asks for variable name) 
C-space: fill in hole 

C-r: refine with constructor 

C-a: automatically fill in hole 

C-,: goal type and context 

C-.: goal type, context, and inferred type 


See the emacs-mode docs for more details. 


If you want to see messages beside rather than below your Agda 
code, you can do the following: 


Open your Agda file, and load it using C-c C-1; 

type C-x 1 to get only your Agda file showing; 

type C-x 3 to split the window horizontally; 

move your cursor to the right-hand half of your frame; 
type C-x b and switch to the buffer called “Agda infor- 
mation”. 


Now, error messages from Agda will appear next to your file, 
rather than squished beneath it. 


Entering Unicode characters in Emacs with agda-mode 


When you write Agda code, you will need to insert characters 
which are not found on standard keyboards. Emacs “agda-mode” 
makes it easier to do this by defining character translations: 
when you enter certain sequences of ordinary characters (the 
kind you find on any keyboard), Emacs will replace them in your 
Agda file with the corresponding special character. 


For example, we can add a comment line to one of the .agda 
test files. Let’s say we want to add a comment line that reads: 


{- I am excited to type V and ~ and < and = !! —-} 


The first few characters are ordinary, so we would just type them 
as usual... 


{- I am excited to type 


But after that last space, we do not find V on the keyboard. The 
code for this character is the four characters \all, so we type 
those four characters, and when we finish, Emacs will replace 
them with what we want... 


{- I am excited to type V 


We can continue with the codes for the other characters. Some- 
times the characters will change as we type them, because a pre- 
fix of our character’s code is the code of another character. This 
happens with the arrow, whose code is \->. After typing \- we 
see... 


{- I am excited to type V and - 


...because the code \- corresponds to a hyphen of a certain 
width. When we add the >, the - becomes -—! The code for < is 
\<=, and the code for =is \==. 


{- I am excited to type V and — and < and 


Finally the last few characters are ordinary again... 


{- I am excited to type V and — and < and if -} 
If you’re having trouble typing the Unicode characters into 
Emacs, the end of each chapter should provide a list of the Uni- 
code characters introduced in that chapter. 


Emacs with agda-mode offers a number of useful commands, 
and two of them are especially useful when it comes to working 
with Unicode characters. For a full list of supported characters, 
use agda-input-show-translations with: 


M-x agda-input-show-translations 


All the supported characters in agda-mode are shown. 

If you want to know how you input a specific Unicode character 
in agda file, move the cursor onto the character and type the fol- 
lowing command: 

M-x quail-show-key 

You'll see the key sequence of the character in mini buffer. 


Spacemacs 


Spacemacs is a “community-driven Emacs distribution” with na- 
tive support for both Emacs and Vim editing styles. It comes with 
integration for agda—mode out of the box. All that is required is 
that you enable the Agda layer in your .spacemacs file. 


Visual Studio Code 

Visual Studio Code is a free source code editor developed by Mi- 
crosoft. There is a plugin for Agda support available on the Vis- 
ual Studio Marketplace. 


Getting Started for Contributors 


If you plan to build PLFA locally, please refer to Contributing for 
additional instructions. 


Part 1: Logical Foundations 


And here is the definition in Agda: Including the line Here is the 
definition of addition in Agda: For example, let’s add two and 
three:We can write the same derivation more compactly by only 
expanding shorthand as needed: In fact, both proofs above are 
longer than need be, and Agda is satisfied with the following: 
Once we have defined addition, we can define multiplication as 
repeated addition: For example, let’s multiply two and three: 
Monus is our first use of a definition that uses pattern matching 
against both arguments: For example, let’s subtract two from 
three:We did not use the second equation at all, but it will be re- 
quired if we try to subtract a larger number from a smaller one: 
In Agda the precedence and associativity of infix operators needs 
to be declared: Including the lines A more efficient representa- 
tion of natural numbers uses a binary rather than a unary system. 
We represent a number as a bitstring: 


Naturals: Natural numbers 


module plfa.partl.Naturals where 


The night sky holds more stars than I can count, though fewer 
than five thousand are visible to the naked eye. The observable 
universe contains about seventy sextillion stars. 


But the number of stars is finite, while natural numbers are infi- 


nite. Count all the stars, and you will still have as many natural 
numbers left over as you started with. 


The naturals are an inductive datatype 


Everyone is familiar with the natural numbers 


WN FO 


and so on. We write N for the type of natural numbers, and say 
that 0, 1, 2, 3, and so on are values of type N, indicated by 
writing 0 : N, 1: N, 2: N, 3 : N,andsoon. 


The set of natural numbers is infinite, yet we can write down its 
definition in just a few lines. Here is the definition as a pair of in- 
ference rules: 


data N : Set where 
zero : N 
suc :N-N 


Here N is the name of the datatype we are defining, and zero 
and suc (short for successor) are the constructors of the datatype. 


Both definitions above tell us the same two things: 


* Base case: zero is a natural number. 
* Inductive case: if m is a natural number, then suc m is 
also a natural number. 


Further, these two rules give the only ways of creating natural 
numbers. Hence, the possible natural numbers are: 


zero 
suc zero 

suc (suc zero) 

suc (suc (suc zero) ) 


We write 0 as shorthand for zero; and 1 is shorthand for suc 
zero, the successor of zero, that is, the natural that comes after 
zero; and 2 is shorthand for suc (suc zero), which is the 
same as suc 1, the successor of one; and 3 is shorthand for the 


successor of two; and so on. 

Exercise seven (practice) 

Write out 7 in longhand. 
-- Your code goes here 


You will need to give both a type signature and definition for the 
variable seven. Type C-c C-1 in Emacs to instruct Agda to re- 
load. 


Unpacking the inference rules 


Let’s unpack the inference rules. Each inference rule consists of 
zero or more judgments written above a horizontal line, called the 
hypotheses, and a single judgment written below, called the con- 
clusion. The first rule is the base case. It has no hypotheses, and 
the conclusion asserts that zero is a natural. The second rule is 
the inductive case. It has one hypothesis, which assumes that m 
is a natural, and the conclusion asserts that suc m is also a nat- 
ural. 


Unpacking the Agda definition 


Let’s unpack the Agda definition. The keyword data tells us this 
is an inductive definition, that is, that we are defining a new 
datatype with constructors. The phrase 


N : Set 


tells us that N is the name of the new datatype, and that it is a 
Set, which is the way in Agda of saying that it is a type. The 
keyword where separates the declaration of the datatype from 
the declaration of its constructors. Each constructor is declared 
on a separate line, which is indented to indicate that it belongs 
to the corresponding data declaration. The lines 


zero : N 
suc :N-N 


give signatures specifying the types of the constructors zero and 
suc. They tell us that zero is a natural number and that suc 
takes a natural number as an argument and returns a natural 
number. 


You may have noticed that N and -— don’t appear on your key- 
board. They are symbols in unicode. At the end of each chapter is 
a list of all unicode symbols introduced in the chapter, including 
instructions on how to type them in the Emacs text editor. Here 
type refers to typing with fingers as opposed to data types! 


The story of creation 


Let’s look again at the rules that define the natural numbers: 


* Base case: zero is a natural number. 
* Inductive case: if m is a natural number, then suc m is 
also a natural number. 


Hold on! The second line defines natural numbers in terms of 
natural numbers. How can that possibly be allowed? Isn’t this as 
useless a definition as “Brexit means Brexit”? 


In fact, it is possible to assign our definition a meaning without 
resorting to unpermitted circularities. Furthermore, we can do so 
while only working with finite sets and never referring to the infi- 
nite set of natural numbers. 


We will think of it as a creation story. To start with, we know 
about no natural numbers at all: 


-—- In the beginning, there are no natural 
numbers. 


Now, we apply the rules to all the natural numbers we know 
about. The base case tells us that zero is a natural number, so 
we add it to the set of known natural numbers. The inductive 
case tells us that if m is a natural number (on the day before to- 
day) then suc m is also a natural number (today). We didn’t 
know about any natural numbers before today, so the inductive 
case doesn’t apply: 


-—- On the first day, there is one natural 
number. 
zero : N 


Then we repeat the process. On the next day we know about all 
the numbers from the day before, plus any numbers added by the 
rules. The base case tells us that zero is a natural number, but 
we already knew that. But now the inductive case tells us that 
since zero was a natural number yesterday, then suc zero is 
a natural number today: 


-—- On the second day, there are two natural 
numbers. 

zero : N 

suc zero : N 


And we repeat the process again. Now the inductive case tells us 
that since zero and suc zero are both natural numbers, then 
suc zero and suc (suc zero) are natural numbers. We al- 
ready knew about the first of these, but the second is new: 


-—- On the third day, there are three natural 
numbers. 


zero : N 
suc zero : N 
suc (suc zero) : N 


You’ve got the hang of it by now: 


-—- On the fourth day, there are four natural 
numbers. 


zero : N 

suc zero : N 

suc (suc zero) : N 

suc (suc (suc zero)) : N 


The process continues. On the n’th day there will be n distinct 
natural numbers. Every natural number will appear on some 
given day. In particular, the number n first appears on day n+ 1. 
And we never actually define the set of numbers in terms of it- 
self. Instead, we define the set of numbers on day n+1 in terms 


of the set of numbers on day n. 


A process like this one is called inductive. We start with nothing, 
and build up a potentially infinite set by applying rules that con- 
vert one finite set into another finite set. 


The rule defining zero is called a base case, because it introduces 
a natural number even when we know no other natural numbers. 
The rule defining successor is called an inductive case, because it 
introduces more natural numbers once we already know some. 
Note the crucial role of the base case. If we only had inductive 
rules, then we would have no numbers in the beginning, and still 
no numbers on the second day, and on the third, and so on. An 
inductive definition lacking a base case is useless, as in the 
phrase “Brexit means Brexit”. 


Philosophy and history 


A philosopher might observe that our reference to the first day, 
second day, and so on, implicitly involves an understanding of 
natural numbers. In this sense, our definition might indeed be re- 
garded as in some sense circular, but we need not let this disturb 
us. Everyone possesses a good informal understanding of the nat- 
ural numbers, which we may take as a foundation for their for- 
mal description. 


While the natural numbers have been understood for as long as 
people can count, the inductive definition of the natural numbers 
is relatively recent. It can be traced back to Richard Dedekind’s 
paper “Was sind und was sollen die Zahlen?” (What are and what 
should be the numbers?), published in 1888, and Giuseppe 
Peano’s book “Arithmetices principia, nova methodo exposita” (The 
principles of arithmetic presented by a new method), published 
the following year. 


A pragma 
In Agda, any text following -- or enclosed between {- and -} 


is considered a comment. Comments have no effect on the code, 
with the exception of one special kind of comment, called a 


pragma, which is enclosed between {-# and #-}. 
{-# BUILTIN NATURAL N #-} 


tells Agda that N corresponds to the natural numbers, and hence 
one is permitted to type 0 as shorthand for zero, 1 as short- 
hand for suc zero, 2 as shorthand for suc (suc zero), 
and so on. The pragma must be given a previously declared type 
(in this case N) with precisely two constructors, one with no ar- 
guments (in this case zero), and one with a single argument of 
the given type (in this case suc). 


As well as enabling the above shorthand, the pragma also en- 
ables a more efficient internal representation of naturals using 
the Haskell type for arbitrary-precision integers. Representing the 
natural n with zero and suc requires space proportional to n, 
whereas representing it as an arbitrary-precision integer in 
Haskell only requires space proportional to the logarithm of n. 


Imports 


Shortly we will want to write some equations that hold between 
terms involving natural numbers. To support doing so, we import 
the definition of equality and notations for reasoning about it 
from the Agda standard library: 


import Relation.Binary.PropositionalEquality as Eq 

open Eq using ( = ; refl) 

open Eq.=-Reasoning using (begin ; =() ; &) 

The first line brings the standard library module that defines 
equality into scope and gives it the name Eq. The second line 
opens that module, that is, adds all the names specified in the 
using clause into the current scope. In this case the names 
added are _=_, the equality operator, and refl, the name for 
evidence that two terms are equal. The third line takes a module 
that specifies operators to support reasoning about equivalence, 
and adds all the names specified in the using clause into the 
current scope. In this case, the names added are begin_, _=() 
_, and _l. We will see how these are used below. We take these 


as givens for now, but will see how they are defined in Chapter 
Equality. 


Agda uses underbars to indicate where terms appear in infix or 
mixfix operators. Thus, _= and _=()_ are infix (each operator 
is written between two terms), while begin_ is prefix (it is 
written before a term), and _§& is postfix (it is written after a 
term). 


Parentheses and semicolons are among the few characters that 
cannot appear in names, so we do not need extra spaces in the 
using list. 


Operations on naturals are recursive functions 


Now that we have the natural numbers, what can we do with 
them? For instance, can we define arithmetic operations such as 
addition and multiplication? 


As a child I spent much time memorising tables of addition and 
multiplication. At first the rules seemed tricky and I would often 
make mistakes. It came as a shock to me to discover recursion, a 
simple technique by which every one of the infinite possible in- 
stances of addition and multiplication can be specified in just a 
couple of lines. 


+ : NoNON 


zero+n=n 
(suc m) + n = suc (m+n) 


Let’s unpack this definition. Addition is an infix operator. It is 
written with underbars where the arguments go, hence its name 
is _+_. The first line is a signature specifying the type of the op- 
erator. The type N > N -} N, indicates that addition accepts 
two naturals and returns a natural. Infix notation is just a short- 
hand for application; the terms m + nand _+_ m n are equiv- 
alent. 


The definition has a base case and an inductive case, correspond- 
ing to those for the natural numbers. The base case says that 
adding zero to anumber, zero + n, returns that number, n. 


The inductive case says that adding the successor of a number to 
another number, (suc m) + n, returns the successor of adding 
the two numbers, suc (m + n). We say we use pattern match- 
ing when constructors appear on the left-hand side of an equa- 
tion. 


If we write zero as 0 and suc mas 1 + a, the definition 
turns into two familiar equations: 


0 +n = n 
(1 +m) +n = 1 + (m+n) 


The first follows because zero is an identity for addition, and the 
second because addition is associative. In its most general form, 
associativity is written 


(m+n) +p = m+ (n + p) 


meaning that the location of parentheses is irrelevant. We get the 
second equation from the third by taking mto be 1, nto be nm, 
and p tobe n. Wewrite = for definitions, while we write = for 
assertions that two already defined things are the same. 


The definition is recursive, in that the last line defines addition in 
terms of addition. As with the inductive definition of the natu- 
rals, the apparent circularity is not a problem. It works because 
addition of larger numbers is defined in terms of addition of 
smaller numbers. Such a definition is called well founded. 


2+325 
begin 

2+ 3 
=() -- is shorthand for 

(suc (Suc zero)) + (suc (suc (Suc zero))) 
=() -- inductive case 

suc ((Suc zero) + (suc (Suc (Suc zero)))) 
=() -- inductive case 

suc (suc (zero + (suc (Suc (Suc zero))))) 
=() -- base case 

suc (Suc (suc (suc (suc zero)))) 
=() -- 1S longhand for 


124385 


~ begin 
2+ 3 


suc (1 + 3) 
=() 
suc (suc (@ + 3)) 


The first line matches the inductive case by taking m = 1 and n 
= 3, the second line matches the inductive case by taking m = 
0 and n = 3, and the third line matches the base case by taking 
n= 3. 


Both derivations consist of a signature (written with a colon, :), 
giving a type, and a binding (written with an equal sign, =), giv- 
ing a term of the given type. Here we use the dummy name _ 
The dummy name can be reused, and is convenient for examples. 
Names other than _ must be used only once in a module. 


Here the type is 2 + 3 = 5 and the term provides evidence for 
the corresponding equation, here written in tabular form as a 
chain of equations. The chain starts with begin and finishes 
with H (pronounced “qed” or “tombstone”, the latter from its ap- 
pearance), and consists of a series of terms separated by =(). 


Note the proofs above appear in colour, meaning that Agda has 
processed and accepted those lines, and hence they are guaran- 
teed not to contain type errors. The same colour appears in the 
Emacs source file after it has been processed in Agda. In Emacs, 
right clicking on any symbol in colour, such as + or suc or =, 
will take you to the definition of that symbol. 


_ igre Ss 
_=refl 


Agda knows how to compute the value of 2 + 3, and so can im- 
mediately check it is the same as _ 5. A binary relation is said to 
be reflexive if every value relates to itself. Evidence that a value is 
equal to itself is written refl. 


In the chains of equations, all Agda checks is that each term sim- 
plifies to the same value. If we jumble the equations, omit lines, 
or add extraneous lines it will still be accepted. It’s up to us to 
write the equations in an order that makes sense to the reader. 


Here 2 + 3 = 5 is a type, and the chains of equations (and 
also refl) are terms of the given type; alternatively, one can 
think of each term as evidence for the assertion 2 + 3 = 5. This 
duality of interpretation—of a type as a proposition, and of a 
term as evidence—is central to how we formalise concepts in 
Agda, and will be a running theme throughout this book. 


Note that when we use the word evidence it is nothing equivocal. 
It is not like testimony in a court which must be weighed to de- 
termine whether the witness is trustworthy. Rather, it is ironclad. 


The other word for evidence, which we will use interchangeably, 
is proof. 


Exercise +—example (practice) 


Compute 3 + 4, writing out your reasoning as a chain of equa- 
tions, using the equations for +. 


-- Your code goes here 


Multiplication 


Computing m * nreturns the sum of mcopies of n. 


Again, rewriting turns the definition into two familiar equations: 


0) *n = 0 
(l +m) *n = n+ (m * n) 


The first follows because zero times anything is zero, and the sec- 
ond follows because multiplication distributes over addition. In 
its most general form, distribution of multiplication over addition 
is written 


(m+n) * p = (m* p) + (n * p) 


We get the second equation from the third by taking m to be 1, 
n to be m, and p to be n, and then using the fact that one is an 
identity for multiplication,so 1 * n =n. 


Again, the definition is well founded in that multiplication of 
larger numbers is defined in terms of multiplication of smaller 
numbers. 


begin 
2*3 

=() -- inductive case 
3 + (1 * 3) 

=() -- inductive case 
3 + (3 + (0 * 3)) 

=() -- base case 
3 + (3 + 0) 

=() -- simplify 
6 


The first line matches the inductive case by taking m = 1 and n 
= 3, the second line matches the inductive case by taking m = 
0 and n = 3, and the third line matches the base case by taking 


n = 3. Here we have omitted the signature declaring _ : 2 * 
3 = 6, since it can easily be inferred from the corresponding 
term. 


Exercise *-example (practice) 


Compute 3 * 4, writing out your reasoning as a chain of equa- 
tions, using the equations for *. (You do not need to step 


through the evaluation of +.) 


-- Your code goes here 


Exercise _*_ (recommended) 


Define exponentiation, which is given by the following equa- 
tions: 


*, iQ) = 1 
m* (1 +n) = m* (m * n) 


Check that 3 * 4is 81. 


-- Your code goes here 


Monus 


We can also define subtraction. Since there are no negative natu- 
ral numbers, if we subtract a larger number from a smaller num- 
ber we will take the result to be zero. This adaption of subtrac- 
tion to naturals is called monus (a twist on minus). 


+ :NoNN 
m = Zero = m 

zero + suc n = zero 
suc m+ suc n = m-=n 


We can do a simple analysis to show that all the cases are cov- 
ered. 


* Consider the second argument. 


© Ifitis zero, then the first equation applies. 
© If itis suc n, then consider the first argument. 


M@ If it is zero, then the second equation ap- 
plies. 
M@ If itis suc m, then the third equation applies. 


Agda will raise an error if all the cases are not covered. As with 
addition and multiplication, the recursive definition is well 
founded because monus on bigger numbers is defined in terms of 
monus on smaller numbers. 


begin 
3+2 
=() 
2+1 
=} 
1+0 
=() 
1 
| 
- beni 
2+3 
=() 
1+2 
=) 
0+1 
= 
0 


We defined monus to ensure that exactly one equation will ap- 
ply. Say the second line was instead written 


zero ~*~ n = zero 


Then it would not be clear whether Agda should use the first or 
second line to simplify zero ~+ zero. In this case, both lines 
lead to the same answer, zero, but that may not be the case in 
general. Putting the line 


{-# OPTIONS --exact-split #-} 


at the beginning of a file causes Agda to raise an error if cases 
overlap, which is sometimes helpful. We will give an example 
where overlap may be desirable in Section Logical Connectives. 


Exercise ~-example; and ~-example:z (recommended) 


Compute 5 + 3 and 3 ~ 5, writing out your reasoning as a 
chain of equations. 


-- Your code goes here 


Precedence 


We often use precedence to avoid writing too many parentheses. 
Application binds more tightly than (or has precedence over) any 
operator, and so we may write suc m + ntomean (suc m) 
+ n. As another example, we say that multiplication binds more 
tightly than addition, and so write n + m * nto mean n + 
(m * n). We also sometimes say that addition associates to the 
left, and so write m + n + ptomean (m+n) + p. 


infixl 6 + + 


infixl 7 _*_ 


This states operators _+_and _~_ have precedence level 6, and 
operator _*_ has precedence level 7. Addition and monus bind 
less tightly than multiplication because they have lower prece- 
dence. Writing infix1 indicates that all three operators asso- 
ciate to the left. One can also write infixr to indicate that an 
operator associates to the right, or just infix to indicate that 
parentheses are always required to disambiguate. 


Currying 


We have chosen to represent a function of two arguments in 
terms of a function of the first argument that returns a function 
of the second argument. This trick goes by the name currying. 


Agda, like other functional languages such as Haskell and ML, is 
designed to make currying easy to use. Function arrows associate 
to the right and application associates to the left 


N = N = Nstands for N + (N - N) 


and 
_+_ 2 3standsfor (_+ _ 2) 3. 


The term _+_ 2 by itself stands for the function that adds two 


to its argument, hence applying it to three yields five. 


Currying is named for Haskell Curry, after whom the program- 
ming language Haskell is also named. Curry’s work dates to the 
1930’s. When I first learned about currying, I was told it was 
misattributed, since the same idea was previously proposed by 
Moses Schonfinkel in the 1920’s. I was told a joke: “It should be 
called schonfinkeling, but currying is tastier”. Only later did I 
learn that the explanation of the misattribution was itself a mis- 
attribution. The idea actually appears in the Begriffsschrift of Got- 
tlob Frege, published in 1879. 


The story of creation, revisited 


Just as our inductive definition defines the naturals in terms of 
the naturals, so does our recursive definition define addition in 
terms of addition. 


Again, it is possible to assign our definition a meaning without 
resorting to unpermitted circularities. We do so by reducing our 
definition to equivalent inference rules for judgments about 
equality: 


a =e 1N 
zero +n = on 
m+n = p 

(suc m) +n = suc p 


Here we assume we have already defined the infinite set of natu- 
ral numbers, specifying the meaning of the judgment n : N. 
The first inference rule is the base case. It asserts that if n is a 
natural number then adding zero to it gives n. The second infer- 
ence rule is the inductive case. It asserts that if adding mand n 


gives p, then adding suc mand n gives suc p. 


Again we resort to a creation story, where this time we are con- 
cerned with judgments about addition: 


-—- In the beginning, we know nothing about 
addition. 


Now, we apply the rules to all the judgment we know about. The 
base case tells us that zero + n = n for every natural n, so 
we add all those equations. The inductive case tells us that if m 
+ n = p (on the day before today) then suc m + n = suc p 
(today). We didn’t know any equations about addition before to- 
day, so that rule doesn’t give us any new equations: 


-- On the first day, we know about addition of 
0+ 0= 0 O+1e= 1 0+2=2 


Then we repeat the process, so on the next day we know about 
all the equations from the day before, plus any equations added 
by the rules. The base case tells us nothing new, but now the in- 
ductive case adds more equations: 


-- On the second day, we know about addition of 


QO and 1 

0+ 0= 0 0+ 1e=1 0+2= 2 0+ 3 
= 3 

1+0e=1 1+1=2 det 2S 3 1+ 3 
= 4 


And we repeat the process again: 


-—- On the third day, we know about addition of 
0, ly and 2. 
0 


o+ 8 + W + 


You’ve got the hang of it by now: 


-- On the fourth day, we know about addition of 


0Q,. 1, 2, and: 3.. 

0+ 0= 0 0+ 1e=1 0+2= 2 0+ 3 
= 3 ee 

1+0e=1 1+1=2 1+ 2 = 3 1+ 3 
= 4 5% 

2+0=2 2+1 = 3 2+ 22+ 4 2+ 3 
= 5 _ 

3 +0 = 3 34+1e2+4 3+2= 5 3 + 3 
= 6 she 


The process continues. On the m’th day we will know all the 
equations where the first number is less than m. 


As we can see, the reasoning that justifies inductive and recur- 
sive definitions is quite similar. They might be considered two 
sides of the same coin. 


The story of creation, finitely 


The above story was told in a stratified way. First, we create the 
infinite set of naturals. We take that set as given when creating 
instances of addition, so even on day one we have an infinite set 
of instances. 


Instead, we could choose to create both the naturals and the in- 
stances of addition at the same time. Then on any day there 
would be only a finite set of instances: 


-—- In the beginning, we know nothing. 


Now, we apply the rules to all the judgment we know about. 
Only the base case for naturals applies: 


-—- On the first day, we know zero. 
o: N 


Again, we apply all the rules we know. This gives us a new natu- 
ral, and our first equation about addition. 


-—- On the second day, we know one and all sums 
that yield zero. 

o: N 

1: N 0+0=0 


Then we repeat the process. We get one more equation about ad- 
dition from the base case, and also get an equation from the in- 
ductive case, applied to equation of the previous day: 


-- On the third day, we know two and all sums 
that yield one. 


o: N 
1: N 0+ 0= 0 
2:N O0O+1e= 1 1+0e= 1 


You’ve got the hang of it by now: 


-—- On the fourth day, we know three and all sums 
that yield two. 


o: N 

1 N 0+ 0= 0 

2 N 0O+1=1 1+0e-=1 

3 N 0+2=2 1+t12e= 2+0=2 


On the n’th day there will be n distinct natural numbers, and n x 
(n-1) / 2 equations about addition. The number n and all equa- 
tions for addition of numbers less than n first appear by day n 
+1. This gives an entirely finitist view of infinite sets of data and 
equations relating the data. 


Writing definitions interactively 


Agda is designed to be used with the Emacs text editor, and the 
two in combination provide features that help to create defini- 
tions and proofs interactively. 


Begin by typing: 
+ :N-3N-N 


mt+one= ? 


The question mark indicates that you would like Agda to help 

with filling in that part of the code. If you type C-c C-1 (press- 

ing the control key while hitting the c key followed by the 1 

key), which stands for load, the question mark will be replaced: 
+_:N-+3N-N 


m+ns= { }0 


The empty braces are called a hole, and O is a number used for 
referring to the hole. The hole will display highlighted in green. 
Emacs will also create a window displaying the text 


270 : N 


to indicate that hole 0 is to be filled in with a term of type N. 
Typing C-c cC-f (for forward) will move you into the next hole. 


We wish to define addition by recursion on the first argument. 
Move the cursor into the hole and type C-c C-~c (for case). You 
will be given the prompt: 


pattern variables to case (empty for split on 
result): 


Typing m will cause a split on that variable, resulting in an up- 
date to the code: 


+ :N4N-AN 
zero + n= { }0 
suc m+ne= { }1l 


There are now two holes, and the window at the bottom tells you 
the required type of each: 


20 : N 
?1 : N 
Going into hole 0 and typing C-c c-, will display information 
on the required type of the hole, and what free variables are 
available: 


Goal: N 


n:N 


This strongly suggests filling the hole with n. After the hole is 
filled, you can type C-c C-space, which will remove the hole: 


+ :N-+4NG-N 
zero +ne=n 
suc m+ne= { }1 


Again, going into hole 1 and typing C-c c-, will display infor- 
mation on the required type of the hole, and what free variables 
are available: 


Goal: N 
ni: N 
m:N 


Going into the hole and type C-c C~r (for refine) will fill it in 
with a constructor (if there is a unique choice) or tell you what 
constructors you might use, if there is a choice. In this case, it 
displays the following: 


Don't know which constructor to introduce of 
zero or suc 


Filling the hole with suc ? and typing C-c C-space results 
in the following: 


+ :N4NGAN 
zero +ne=n 
suc m+n= suc { }l1l 


Going into the new hole and typing C-c C-, gives similar in- 
formation to before: 


Goal: N 


ni: N 
m:N 


We can fill the hole with m + n and type C-c C-space to 
complete the program: 


+. :N-+4NG-N 
zero +n=n 
suc m+n = suc (m + n) 


Exploiting interaction to this degree is probably not helpful for a 
program this simple, but the same techniques can help with more 
complex programs. Even for a program this simple, using C-c 
C-c to split cases can be helpful. 


More pragmas 


{-# BUILTIN NATPLUS + #-} 
{-# BUILTIN NATTIMES * #-} 
{-# BUILTIN NATMINUS = #-} 


tells Agda that these three operators correspond to the usual 
ones, and enables it to perform these computations using the cor- 
responding Haskell operators on the arbitrary-precision integer 
type. Representing naturals with zero and suc requires time 
proportional to m to add m and n, whereas representing naturals 
as integers in Haskell requires time proportional to the larger of 
the logarithms of m and n. Similarly, representing naturals with 
zero and suc requires time proportional to the product of m 
and n to multiply m and n, whereas representing naturals as inte- 
gers in Haskell requires time proportional to the sum of the loga- 
rithms of m and n. 


Exercise Bin (stretch) 


data Bin : Set where 
() : Bin 
_0 : Bin - Bin 


_I : Bin - Bin 


For instance, the bitstring 


1011 


standing for the number eleven is encoded as 
OL Or I 


Representations are not unique due to leading zeros. Hence, 
eleven is also represented by 001011, encoded as: 


Y)OOITOITI 
Define a function 
inc : Bin > Bin 


that converts a bitstring to the bitstring for the next higher num- 
ber. For example, since 1100 encodes twelve, we should have: 


inc (Y) IO II) =4%)IIOO 


Confirm that this gives the correct answer for the bitstrings en- 
coding zero through four. 


Using the above, define a pair of functions to convert between 
the two representations. 


to : N = Bin 
from : Bin -N 


For the former, choose the bitstring to have no leading zeros if it 
represents a positive natural, and represent zero by () ©. Con- 
firm that these both give the correct answer for zero through 
four. 


-- Your code goes here 


Standard library 


At the end of each chapter, we will show where to find relevant 
definitions in the standard library. The naturals, constructors for 
them, and basic operators upon them, are defined in the standard 
library module Data.Nat: 


-- import Data.Nat using (N; zero; suc; +; *; ~~; +) 


Normally, we will show an import as running code, so Agda will 
complain if we attempt to import a definition that is not avail- 
able. This time, however, we have only shown the import as a 
comment. Both this chapter and the standard library invoke the 
NATURAL pragma, the former on N, and the latter on the equiva- 
lent type Data.Nat.N. Such a pragma can only be invoked 
once, as invoking it twice would raise confusion as to whether 2 
is a value of type N or type Data.Nat.N. Similar confusions 
arise if other pragmas are invoked twice. For this reason, we will 
usually avoid pragmas in future chapters. Information on prag- 
mas can be found in the Agda documentation. 


Unicode 


This chapter uses the following unicode: 


N U+2115 DOUBLE-STRUCK CAPITAL N (\bN) 

+ U+2192 RIGHTWARDS ARROW (\to, \r, \->) 

+ U+2238 DOT MINUS (\.-) 

= U+2261 IDENTICAL TO (\==) 

( U+27E8 MATHEMATICAL LEFT ANGLE BRACKET (\<) 
) U+27E9 MATHEMATICAL RIGHT ANGLE BRACKET (\>) 
HB U+220E END OF PROOF (\qed) 


Each line consists of the Unicode character (N), the correspond- 
ing code point (U+2115), the name of the character (DOUBLE- 
STRUCK CAPITAL N), and the sequence to type into Emacs to 
generate the character (\bN). 


The command \r gives access to a wide variety of rightward ar- 
rows. After typing \r, one can access the many available arrows 
by using the left, right, up, and down keys to navigate. The com- 
mand remembers where you navigated to the last time, and 
starts with the same character next time. The command \1 
works similarly for left arrows. In place of left, right, up, and 
down keys, one may also use control characters: 


C-b left (backward one character) 


C-f£ right (forward one character) 
C-p up (to the previous line) 
C-n down (to the next line) 


We write C-b to stand for control-b, and similarly. One can also 
navigate left and right by typing the digits that appear in the dis- 
played list. 


For a full list of supported characters, use agda-input-show- 
translations with: 


M-x agda-input-show-translations 


All the characters supported by agda-mode are shown. We 
write M-x to stand for typing ESC followed by x. 


If you want to know how you input a specific Unicode character 
in an agda file, move the cursor onto the character and use 
quail-show-key with: 


M-x quail-show-key 


You'll see a key sequence of the character in mini buffer. If you 
run M-x quail-show-key on say ~, you will see \.- for the 
character. 


We require equality as in the previous chapter, plus the naturals 
and some operations upon them. We also require a couple of new 
operations, cong, sym, and _=(_)_, which are explained be- 
low: We can test the proposition by choosing specific numbers 
for the three variables: Here is the proposition’s statement and 
proof: Here is the lemma’s statement and proof: Here is the 
lemma’s statement and proof: Finally, here is our proposition’s 
statement and proof: We can apply associativity to rearrange 
parentheses however we like. Here is an example: There is more 
than one way to skin a cat. Here is a second proof of associativity 
of addition in Agda, using rewrite rather than chains of equa- 
tions: Here is a second proof of commutativity of addition, using 
rewrite rather than chains of equations: Definitions similar to 
those in this chapter can be found in the standard library: 


Induction: Proof by Induction 


module plfa.partl.Induction where 


Induction makes you feel guilty for getting some- 
thing out of nothing ... but it is one of the great- 
est ideas of civilization. - Herbert Wilf 


Now that we’ve defined the naturals and operations upon them, 
our next step is to learn how to prove properties that they satisfy. 
As hinted by their name, properties of inductive datatypes are 
proved by induction. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 


open Eq using ( = ; refl; cong; sym) 
open Eq.=-Reasoning using (begin ; =() ; step-=; #1) 
open import Data.Nat using (N; zero; suc; +; *; +; % ) 


(Importing step-= defines _=(_)_.) 


Properties of operators 


Operators pop up all the time, and mathematicians have agreed 
on names for some of the most common properties. 


Identity. Operator + has left identity 0 if 0 + n = n, 
and right identity Oif n + O = n, forall n. A value that 
is both a left and right identity is just called an identity. 
Identity is also sometimes called unit. 


Associativity. Operator + is associative if the location of 
parentheses does not matter: (m + n) + p =m + (n 
+ p), forall m, n,and p. 


Commutativity. Operator + is commutative if order of argu- 
ments does not matter: m + n = n + nm, for all mand 
n. 


Distributivity. Operator * distributes over operator + from 
the leftif m * (p + q) = (m * p) + (m * q), for 
all m, p, and q, and from the right if (m + n) * p = 
(m * p) + (n * p), forall m, n,and p. 


Addition has identity 0 and multiplication has identity 1; addi- 
tion and multiplication are both associative and commutative; 
and multiplication distributes over addition. 


If you ever bump into an operator at a party, you now know how 
to make small talk, by asking whether it has a unit and is asso- 
ciative or commutative. If you bump into two operators, you 
might ask them if one distributes over the other. 


Less frivolously, if you ever bump into an operator while reading 
a technical paper, this gives you a way to orient yourself, by 
checking whether or not it has an identity, is associative or com- 
mutative, or distributes over another operator. A careful author 
will often call out these properties—or their lack—for instance 
by pointing out that a newly introduced operator is associative 
but not commutative. 


Exercise operators (practice) 


Give another example of a pair of operators that have an identity 


and are associative, commutative, and distribute over one an- 
other. (You do not have to prove these properties.) 


Give an example of an operator that has an identity and is asso- 
ciative but is not commutative. (You do not have to prove these 
properties.) 


Associativity 


One property of addition is that it is associative, that is, that the 
location of the parentheses does not matter: 


(m+n) +p =m+ (n + p) 


Here m, n, and p are variables that range over all natural num- 
bers. 


Here we have displayed the computation as a chain of equations, 
one term to a line. It is often easiest to read such chains from the 
top down until one reaches the simplest term (in this case, 12), 
and then from the bottom up until one reaches the same term. 


The test reveals that associativity is perhaps not as obvious as 
first it appears. Why should 7 + 5 be the same as 3 + 9? We 
might want to gather more evidence, testing the proposition by 
choosing other numbers. But—since there are an infinite number 
of naturals—testing can never be complete. Is there any way we 
can be sure that associativity holds for all the natural numbers? 


The answer is yes! We can prove a property holds for all naturals 
using proof by induction. 


Proof by induction 


Recall the definition of natural numbers consists of a base case 
which tells us that zero is a natural, and an inductive case which 
tells us that if mis a natural then suc mis also a natural. 


Proof by induction follows the structure of this definition. To 
prove a property of natural numbers by induction, we need to 
prove two cases. First is the base case, where we show the prop- 
erty holds for zero. Second is the inductive case, where we as- 
sume the property holds for an arbitrary natural m (we call this 
the inductive hypothesis), and then show that the property must 
also hold for suc m. 


If we write P m for a property of m, then what we need to 
demonstrate are the following two inference rules: 


Let’s unpack these rules. The first rule is the base case, and re- 
quires we show that property P holds for zero. The second rule 
is the inductive case, and requires we show that if we assume the 
inductive hypothesis—namely that P holds for m—then it fol- 
lows that P also holds for suc m. 


Why does this work? Again, it can be explained by a creation 
story. To start with, we know no properties: 


-—- In the beginning, no properties are known. 


Now, we apply the two rules to all the properties we know 
about. The base case tells us that P zero holds, so we add it to 
the set of known properties. The inductive case tells us that if P 


m holds (on the day before today) then P (suc m) also holds 
(today). We didn’t know about any properties before today, so 
the inductive case doesn’t apply: 


-—- On the first day, one property is known. 
P zero 


Then we repeat the process, so on the next day we know about 
all the properties from the day before, plus any properties added 
by the rules. The base case tells us that P zero holds, but we 
already knew that. But now the inductive case tells us that since 
P zero held yesterday, then P (suc zero) holds today: 


-—- On the second day, two properties are known. 
P zero 
P (suc zero) 


And we repeat the process again. Now the inductive case tells us 
that since P zero and P (suc zero) both hold, then P 
(suc zero) and P (suc (suc zero)) also hold. We al- 
ready knew about the first of these, but the second is new: 


-—- On the third day, three properties are known. 
P zero 

P (suc zero) 

P (suc (suc zero) ) 


You’ve got the hang of it by now: 


-- On the fourth day, four properties are known. 
P zero 

P (suc zero) 

P (suc (suc zero) ) 

P (suc (suc (suc zero) )) 


The process continues. On the n’th day there will be n distinct 
properties that hold. The property of every natural number will 
appear on some given day. In particular, the property P n first 
appears on day n+ 1. 


Our first proof: associativity 


To prove associativity, we take P m to be the property: 
(m+n) +p =m+ (n + p) 


Here n and p are arbitrary natural numbers, so if we can show 
the equation holds for all m it will also hold for all n and p. 
The appropriate instances of the inference rules are: 


(zero + n) + p = zero + (n + p) 


(m+n) +p =m + (n + p) 


(suc m+n) +p = suc m+ (n + p) 


If we can demonstrate both of these, then associativity of addi- 
tion follows by induction. 


+-assoc : V (mnp: N) - (m+n) +p=m+ (n+p) 
+-assoc zero np = 
begin 
(zero +n) +p 
={} 
n+p 
=) 


zero + (n + p) 
+-assoc (suc m) n p = 


(suc m+n) +p 
St) 


suc (m+n) +p 


suc ((m +n) + p) 

=( cong suc (+-assoc mn p) ) 
suc (m + (n + p)) 

=() 
suc m + (n + p) 

i] 


We have named the proof +-assoc. In Agda, identifiers can 
consist of any sequence of characters not including spaces or the 
characters @. () {}j_. 


Let’s unpack this code. The signature states that we are defining 
the identifier +-assoc which provides evidence for the proposi- 
tion: 


Y(mnp: N) > (m+n) +pz2=m+4+ (n+ p) 


The upside down A is pronounced “for all”, and the proposition 
asserts that for all natural numbers m, n, and p the equation 
(m + n) + p =m + (n + p) holds. Evidence for the propo- 
sition is a function that accepts three natural numbers, binds 
them to m, n, and p, and returns evidence for the correspond- 
ing instance of the equation. 


For the base case, we must show: 
(zero +n) + p = zero + (n + p) 


Simplifying both sides with the base case of addition yields the 
equation: 


ntpH=nt+p 


This holds trivially. Reading the chain of equations in the base 
case of the proof, the top and bottom of the chain match the two 
sides of the equation to be shown, and reading down from the 
top and up from the bottom takes us to n + p in the middle. No 
justification other than simplification is required. 


For the inductive case, we must show: 
(suc m+n) + p = suc m+ (n + p) 


Simplifying both sides with the inductive case of addition yields 
the equation: 


suc ((m +n) + p) = suc (m+ (n + p)) 


This in turn follows by prefacing suc to both sides of the induc- 
tion hypothesis: 


(m+n) +p =m+ (n + p) 


Reading the chain of equations in the inductive case of the proof, 
the top and bottom of the chain match the two sides of the equa- 
tion to be shown, and reading down from the top and up from 
the bottom takes us to the simplified equation above. The re- 
maining equation does not follow from simplification alone, so 
we use an additional operator for chain reasoning, _=(_) , 
where a justification for the equation appears within angle brack- 
ets. The justification given is: 


{ cong suc (+-assoc mn p) ) 


Here, the recursive invocation +—-assoc mn p has as its type 
the induction hypothesis, and cong suc prefaces suc to each 
side to yield the needed equation. 


A relation is said to be a congruence for a given function if it is 
preserved by applying that function. If e is evidence that x = 
y, then cong f eis evidence that f x = f y, for any func- 
tion f. 


Here the inductive hypothesis is not assumed, but instead proved 
by a recursive invocation of the function we are defining, +- 
assoc mn p. As with addition, this is well founded because as- 
sociativity of larger numbers is proved in terms of associativity of 
smaller numbers. In this case, assoc (suc m) n p is proved 
using assoc m n p. The correspondence between proof by in- 
duction and definition by recursion is one of the most appealing 
aspects of Agda. 


Induction as recursion 
As a concrete example of how induction corresponds to recur- 
sion, here is the computation that occurs when instantiating m to 


2 in the proof of associativity. 


+-assoc-0 : V (np : N) = (OQ +n) +p 20+ (n+p) 
+-assoc-0 np = 


+-assoc-1 : V (np: N) = (1 +n) + p21 + (n+p) 
+-assoc-1 n p = 


suc ((0 + n) + p) 
=( cong suc (+-assoc-0 n p) ) 
suc (0 + (n + p)) 


1+ (n + p) 


+-assoc-2 : V (np: N) = (2 +n) +p22 + (n+p) 
+-assoc-2 np = 


suc ((1 +n) +p) 

=( cong suc (+-assoc-1 n p) ) 
suc (1 + (n + p)) 

=() 
2+ (n+p) 

i] 


Terminology and notation 


The symbol Vv appears in the statement of associativity to indi- 
cate that it holds for all numbers m, n, and p. We refer to V as 
the universal quantifier, and it is discussed further in Chapter 
Quantifiers. 


Evidence for a universal quantifier is a function. The signatures 


t-assoc : V (mn p: N) -— (m+n) + p=m+4+ (n + 
P) 


and 


t-assoc : V (m: N) + V (n : N) += V (p : N) = 
(m+n) +p =m+ (n + p) 


are equivalent. They differ from a function type such as N > N 
+ N in that variables are associated with each argument type, 
and the result type may mention (or depend upon) these vari- 
ables; hence they are called dependent functions. 


Ordinary functions are a special case of dependent functions. For 
instance, the signatures 


+_:N-sN-N 


are all equivalent. 
Our second proof: commutativity 


Another important property of addition is that it is commutative, 
that is, that the order of the operands does not matter: 


mtfno=net+mMm 


The proof requires that we first demonstrate two lemmas. 
The first lemma 


The base case of the definition of addition states that zero is a 
left-identity: 
zero +ne=z=on 


Our first lemma states that zero is also a right-identity: 


m+ zero =m 


+-identity" : V (m: N) > m+ zero=m 
+-identity" zero = 
begin 
zero + zero 
=() 
zero 
| 
+-identity" (suc m) = 
begin 
suc m + zero 
suc (m + zero) 
=( cong suc (+-identity" m) ) 


suc m 
| 


The signature states that we are defining the identifier +- 
identity’ which provides evidence for the proposition: 


Y (m: N) +m + zero =m 


Evidence for the proposition is a function that accepts a natural 
number, binds it to m, and returns evidence for the correspond- 
ing instance of the equation. The proof is by induction on m. 


For the base case, we must show: 
zero + zero = zero 


Simplifying with the base case of addition, this is straightfor- 
ward. 


For the inductive case, we must show: 
(suc m) + zero = suc m 


Simplifying both sides with the inductive case of addition yields 
the equation: 


suc (m + zero) = sucm 


This in turn follows by prefacing suc to both sides of the induc- 
tion hypothesis: 


m+ zero =m 


Reading the chain of equations down from the top and up from 
the bottom takes us to the simplified equation above. The re- 
maining equation has the justification: 


{ cong suc (+-identity’ m) ) 


Here, the recursive invocation +-identity" m has as its type 
the induction hypothesis, and cong suc prefaces suc to each 
side to yield the needed equation. This completes the first 
lemma. 


The second lemma 


The inductive case of the definition of addition pushes suc on 
the first argument to the outside: 


suc m+n = suc (m+ n) 


Our second lemma does the same for suc on the second argu- 
ment: 


m+ suc n = suc (m + n) 


+-suc : V (mn: N) > m+ suc n = suc (m+n) 
+-suc zero n = 
begin 
zero + suc n 
=() 
suc n 
={} 
suc (zero + n) 
| 
+-suc (suc m) n = 
begin 
suc m + suc n 


suc (m + suc n) 
{ cong suc (+-suc mn) ) 
suc (suc (m + n)) 


suc (Suc m + n) 


The signature states that we are defining the identifier +-suc 
which provides evidence for the proposition: 


¥Y (mn: N) +m + suc n = suc (m+ n) 


Evidence for the proposition is a function that accepts two natu- 
ral numbers, binds them to m and n, and returns evidence for 
the corresponding instance of the equation. The proof is by in- 
duction on m. 


For the base case, we must show: 


zero + suc n = suc (zero + n) 


Simplifying with the base case of addition, this is straightfor- 
ward. 


For the inductive case, we must show: 


suc m+ suc n = suc (suc m + n) 


Simplifying both sides with the inductive case of addition yields 
the equation: 


suc (m + suc n) = suc (suc (m + n)) 


This in turn follows by prefacing suc to both sides of the induc- 
tion hypothesis: 


m+ suc n = suc (m + n) 


Reading the chain of equations down from the top and up from 
the bottom takes us to the simplified equation in the middle. The 
remaining equation has the justification: 


{ cong suc (+-suc mn) ) 


Here, the recursive invocation +—suc m n has as its type the in- 
duction hypothesis, and cong suc prefaces suc to each side to 
yield the needed equation. This completes the second lemma. 


The proposition 


+-comm : V (mn: N) >m+n2n+M 
+-comm m zero = 
begin 
m + zero 
=( +-identity" m ) 


zero + m 


+-comm m (suc n) = 


suc (m + n) 

=( cong suc (+-comm mn) ) 
suc (n + m) 

=() 
suc n +m 

| 


The first line states that we are defining the identifier +-—comm 
which provides evidence for the proposition: 


Y (mn: N) +m+n2n4+mMm 


Evidence for the proposition is a function that accepts two natu- 
ral numbers, binds them to m and n, and returns evidence for 
the corresponding instance of the equation. The proof is by in- 
duction on n. (Not on m this time!) 


For the base case, we must show: 
m+ zero = zero +m 


Simplifying both sides with the base case of addition yields the 
equation: 


m+ zero =m 


The remaining equation has the justification ( +-identity" m 
), which invokes the first lemma. 


For the inductive case, we must show: 
m+ suc n = suc n +m 


Simplifying both sides with the inductive case of addition yields 
the equation: 


m+ suc n = suc (n + m) 
We show this in two steps. First, we have: 
m+ suc n = suc (m + n) 


which is justified by the second lemma, ( +-suc m n ). Then 
we have 


suc (m +n) = suc (n + m) 


which is justified by congruence and the induction hypothesis, ( 
cong suc (+-comm m n) ). This completes the proof. 


Agda requires that identifiers are defined before they are used, so 
we must present the lemmas before the main proposition, as we 
have done above. In practice, one will often attempt to prove the 
main proposition first, and the equations required to do so will 
suggest what lemmas to prove. 


Our first corollary: rearranging 


+-rearrange : V ( 
+-rearrange mnpq = 
begin 
(m+n) + (p + q) 
=( sym (+-assoc (m+n) pq) ) 
((m+n)+p)+q 
=( cong (_+ q) (+-assoc mn p) ) 
(m+ (n+p)) +q 
| 


No induction is required, we simply apply associativity twice. A 
few points are worthy of note. 


mnpq:N) > (m+n) + (p+q) =m+ (n+p) +q 


First, addition associates to the left, so m + (n + p) + q 
stands for (m + (n + p)) + q. 


Second, we use sym to interchange the sides of an equation. 
Proposition +-assoc (m + n) p q shifts parentheses from 
left to right: 


((m +n) + p) + q = (m+n) + (p + q) 


To shift them the other way, we use sym (+-assoc (m + n) 
p q): 


(m +n) + (p + q) = ((m +n) +p) +q 


In general, if e provides evidence for x = y then sym e pro- 
vides evidence for y = x. 


Third, Agda supports a variant of the section notation introduced 
by Richard Bird. We write (_+ y) for the function that applied 
to x returns x + y. Thus, applying the congruence cong (_+ 
q) to assoc mn p takes the equation: 


(m +n) + p m+ (n + p) 
into the equation: 
((m +n) +p) +q = (m+ (n + p)) + q 


Similarly, we write (x +_) for the function that applied to y 
returns x + y; the same works for any infix operator. 


Creation, one last time 


Returning to the proof of associativity, it may be helpful to view 
the inductive proof (or, equivalently, the recursive definition) as 
a creation story. This time we are concerned with judgments as- 
serting associativity: 


-—- In the beginning, we know nothing about 
associativity. 


Now, we apply the rules to all the judgments we know about. 


The base case tells us that (zero + n) + p = zero + (n + 
p) for every natural n and p. The inductive case tells us that if 
(m + n) + p =m + (n + p) (on the day before today) then 
(suc m +n) + p = suc m + (n + p) (today). We didn’t 
know any judgments about associativity before today, so that 
rule doesn’t give us any new judgments: 


-—- On the first day, we know about associativity 
of 0. 

(O + 0) + 02 0 + (0 + O) starts (0 + 4) + 5 
0 + (4 + 5) 


Then we repeat the process, so on the next day we know about 
all the judgments from the day before, plus any judgments added 
by the rules. The base case tells us nothing new, but now the in- 
ductive case adds more judgments: 


= On the second day, we know about 
associativity of 0 andl. 

(0 + 0) + 0 = 0 + (0 + OQ) ees (0 + 4) +5 = 
0+ (4 + 5) ake 

(1 + 0) + 0 = 1 + (0 + OQ) € rs (1 + 4) +5 =e 
1+ (4 + 5) 


And we repeat the process again: 


-- On the third day, we know about associativity 
of 0, 1, and 2. 


(0 + 0) + 0 = 0 + (0 + OQ) aoa (0 + 4) + 52 
O + (4 + 5) were 
(1 + 0) + 0 =1 + (0 + QO) bees (Cl. se 4) + 25 = 
1 + (4 + 5) rer 
(2 + 0) + 0 = 2 + (0 + OQ) er (2 + 4) +52 


2+ (4 + 5) 
You’ve got the hang of it by now: 


== On the fourth day, we know about 
associativity of 0, 1, 2, and 3. 

(0 + 0) + 0 = 0 + (0 + OQ) ohare (0 + 4) + 58s 
0+ (4 + 5) 


(1 + 0) +021 + (0 + OQ) # iste (1 + 4) + 5 


1+ (4 + 5) Se 

(2 + 0) + 0=2 + (0 + OQ) ‘8-8 (2 + 4) +5 se 
2+ (4 + 5) ee 

(3 + 0) + 0 = 3 + (0 + OQ) re (3 + 4) + 56s 
3 + (4 + 5) 


The process continues. On the m’th day we will know all the 
judgments where the first number is less than m. 


There is also a completely finite approach to generating the same 
equations, which is left as an exercise for the reader. 


Exercise finite-+—assoc (stretch) 


Write out what is known about associativity of addition on each 
of the first four days using a finite story of creation, as earlier. 


-- Your code goes here 


Associativity with rewrite 


t+-assoc’ : V (mnp: N) - (m+n) +p=m+ (n+p) 
+-assoc’ zero np 
+-assoc’ (suc m) np rewrite +-assoc’ mnp 


For the base case, we must show: 
(zero + n) + p = zero + (n + p) 


Simplifying both sides with the base case of addition yields the 
equation: 


ntp=nt+p 


This holds trivially. The proof that a term is equal to itself is 
written refl. 


For the inductive case, we must show: 


(suc m+n) +p = sucm + (n + p) 


Simplifying both sides with the inductive case of addition yields 
the equation: 


suc ((m +n) + p) = suc (m+ (n + p)) 


This is our goal to be proved. Rewriting by a given equation is 
indicated by the keyword rewrite followed by a proof of that 
equation. Rewriting replaces each occurrence of the left-hand 
side of the equation in the goal by the right-hand side. In this 
case, after rewriting by the inductive hypothesis our goal be- 
comes 


suc (m + (n + p)) = suc (m+ (n + p)) 


and the proof is again given by refl. Rewriting avoids not only 
chains of equations but also the need to invoke cong. 


Commutativity with rewrite 


+-identity’ : V (n: N) +n + zero=n 
+-identity’ zero = refl 
+-identity’ (suc n) rewrite +-identity’ n = refl 


+-suc’ : V (mn: N) > m+ suc n = suc (m+n) 
+-suc’ zero n = refl 
+-suc’ (suc m) n rewrite +-suc’ mn = refl 


+-comm’ : V (mn: N) >m+n=n+m 
+-comm’ m zero rewrite +-identity’ m = refl 
+-comm’ m (Suc n) rewrite +-suc’ mn | +-comm’ mn =refl 


In the final line, rewriting with two equations is indicated by 
separating the two proofs of the relevant equations by a vertical 
bar; the rewrite on the left is performed before that on the right. 


Building proofs interactively 


It is instructive to see how to build the alternative proof of asso- 
ciativity using the interactive features of Agda in Emacs. Begin 


by typing: 


t+-assoc’ :V (mn p: N) - (m+n) +p2m+#+ (n 


+ p) 
+-assoc’ mnp= ? 


The question mark indicates that you would like Agda to help 
with filling in that part of the code. If you type C-c C-1 (con- 
trol-c followed by control-l), the question mark will be replaced: 


t+-assoc’ :V (mn p: N) -— (m+n) + p=2m+ (n 
+ p) 
+-assoc’ mnp = { }0 


The empty braces are called a hole, and O is a number used for 
referring to the hole. The hole may display highlighted in green. 
Emacs will also create a new window at the bottom of the screen 
displaying the text: 


20 : ((m +n) + p) = (m+ (n + p)) 


This indicates that hole 0 is to be filled in with a proof of the 
stated judgment. 


We wish to prove the proposition by induction on m. Move the 
cursor into the hole and type C-c C-c. You will be given the 
prompt: 


pattern variables to case (empty for split on 
result): 


Typing m will cause a split on that variable, resulting in an up- 
date to the code: 


t+-assoc’ :V (mn p: N) -— (m+n) + p2=m+ (n 
+ p) 

+-assoc’ zero n p = { }0 

+-assoc’ (suc m) np = { }l 


There are now two holes, and the window at the bottom tells you 
what each is required to prove: 


20 : ((zero + n) + p) = (zero + (n + p)) 
?1 ((suc m+n) +p) = (suc m+ (n + p)) 


Going into hole 0 and typing C-c c-, will display the text: 


Goal: (n + p) = (n + p) 
p:N 
n:N 


This indicates that after simplification the goal for hole 0 is as 
stated, and that variables p and n of the stated types are avail- 
able to use in the proof. The proof of the given goal is trivial, and 
going into the goal and typing C-c c-r will fill it in. Typing 
C-c C-1 renumbers the remaining hole to 0: 


t+-assoc’ :V (mn p: N) -— (m+n) + p2m#+ (n 
+ p) 

+-assoc’ zero n p = refl 

+-assoc’ (suc m) np = { }0 


Going into the new hole 0 and typing C-c c-, will display the 
text: 


Goal: suc ((m +n) + p) = suc (m + (n + p)) 


: N 
ni: N 
mi: N 
Again, this gives the simplified goal and the available variables. 


In this case, we need to rewrite by the induction hypothesis, so 
let’s edit the text accordingly: 


t+-assoc’ : V (mn p: N) - (m+n) + p=2m+ (n 
+ p) 

+-assoc’ zero n p = refl 

+-assoc’ (suc m) n p rewrite +-assoc’ mn p = { 
}0 


Going into the remaining hole and typing Cc-c c-, will display 
the text: 


Goal: suc (m + (n + p)) = suc (m+ (n + p)) 


: N 
ni: N 
m:N 


The proof of the given goal is trivial, and going into the goal and 
typing C-c C-r will fill it in, completing the proof: 


t+-assoc’ :V (mn p: N) - (m+n) + p2m+ (n 
+ p) 

+-assoc’ zero n p = refl 

+-assoc’ (suc m) n p rewrite +-assoc’ mn p = 
refl 


Exercise +—swap (recommended) 

Show 

m+ (n+p) =n+ (m+ p) 

for all naturals m, n, and p. No induction is needed, just apply 
the previous results which show addition is associative and com- 


mutative. 


-- Your code goes here 


Exercise *-distrib-+ (recommended) 


Show multiplication distributes over addition, that is, 
(m+n) * p=m* pt+n* p 
for all naturals m, n, and p. 


-- Your code goes here 


Exercise *—assoc (recommended) 


Show multiplication is associative, that is, 


(m * n) * p =m * (n * p) 
for all naturals m, n, and p. 


-- Your code goes here 


Exercise *-—comm (practice) 


Show multiplication is commutative, that is, 


for all naturals mand n. As with commutativity of addition, you 
will need to formulate and prove suitable lemmas. 


-- Your code goes here 


Exercise 0~n=0 (practice) 


Show 
zero ~ n = zero 


for all naturals n. Did your proof require induction? 


-- Your code goes here 


Exercise ~-+-assoc (practice) 


Show that monus associates with addition, that is, 
m~n*p=m* (n + p) 
for all naturals m, n, and p. 


-- Your code goes here 


Exercise +** (stretch) 


Show the following three laws 


m* (n + p) = (m%* n) * (m * p) (*-distrib!-+- 
*) 

(m* n) *~ p= (m%* p) * (n * p) (*-distrib'-*) 

(m *~ n) *~ p=m* (n * p) (*-*-assoc) 


for all m, n, and p. 


-- Your code goes here 


Exercise Bin-laws (stretch) 


Recall that Exercise Bin defines a datatype Bin of bitstrings rep- 
resenting natural numbers, and asks you to define functions 


inc : Bin > Bin 
to : N = Bin 
from : Bin oN 


Consider the following laws, where n ranges over naturals and 
b over bitstrings: 


from (inc b) = suc (from b) 
to (from b) = b 
from (to n) =n 


For each law: if it holds, prove; if not, give a counterexample. 


-- Your code goes here 
Standard library 
import Data.Nat.Properties using (+-assoc; +-identity"; +-suc; +-con 


Unicode 


This chapter uses the following unicode: 


VY U+2200 FOR ALL (\forall, \all) 

r U+02B3 MODIFIER LETTER SMALL R (\*r) 
'  U+2032 PRIME (\') 

" U+2033 DOUBLE PRIME (\"') 

" U+2034 TRIPLE PRIME (\') 

" U+2057 QUADRUPLE PRIME (\') 


Similar to \r, the command \%*r gives access to a variety of su- 
perscript rightward arrows, and also a superscript letter r. The 
command \' gives access to arange of primes(’ ”" ” ””). 


And here is the definition in Agda: And here is the correspond- 
ing Agda proof: If we wish, it is possible to provide implicit argu- 
ments explicitly by writing the arguments inside curly braces. 
For instance, here is the Agda proof that 2 < 4 repeated, with 
the implicit arguments made explicit:One may also identify im- 
plicit arguments by name:In the latter format, you can choose to 
only supply some implicit arguments: We can ask Agda to use the 
same inference to try and infer an explicit term, by writing _. For 
instance, we can define a variant of the proposition +- 
identity’ with implicit arguments: We declare the precedence 
for comparison as follows: There is only one way to prove that 
suc m < suc n, forany mand n. This lets us invert our previ- 
ous rule. Another example of inversion is showing that there is 
only one way a number can be less than or equal to zero. The 
first property to prove about comparison is that it is reflexive: for 
any natural n, the relation n < n holds. We follow the conven- 
tion in the standard library and make the argument implicit, as 
that will make it easier to invoke reflexivity: The second property 
to prove about comparison is that it is transitive: for any naturals 
m, n, and p,if m < nand _n < p hold, then m < p holds. 
Again, m, n, and p are implicit: Alternatively, we could make 
the implicit parameters explicit: The third property to prove 
about comparison is that it is antisymmetric: for all naturals m 
and n, if both m < nand n < mhold, then m = n holds: We 
specify what it means for inequality to be total: This is our first 
use of a datatype with parameters, in this case m and na. It is 
equivalent to the following indexed datatype: With that prelimi- 
nary out of the way, we specify and prove totality: Every use of 
with is equivalent to defining a helper function. For example, 
the definition above is equivalent to the following: If both argu- 
ments are equal, then both cases hold and we could return evi- 
dence of either. In the code above we return the forward case, 
but there is a variant that returns the flipped case: The proof is 
straightforward using the techniques we have learned, and is best 
broken into three parts. First, we deal with the special case of 
showing addition is monotonic on the right: Second, we deal 
with the special case of showing addition is monotonic on the 
left. This follows from the previous result and the commutativity 
of addition: Third, we combine the two previous results: We can 


define strict inequality similarly to inequality: As a further exam- 
ple, let’s specify even and odd numbers. Inequality and strict in- 
equality are binary relations, while even and odd are unary rela- 
tions, sometimes called predicates: We show that the sum of two 
even numbers is even: Definitions similar to those in this chapter 
can be found in the standard library: 


Relations: Inductive definition of rela- 
tions 


module plfa.partl.Relations where 


After having defined operations such as addition and multiplica- 
tion, the next step is to define relations, such as less than or equal. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 
open Eq using ( = ; refl; cong) 
open import Data.Nat using (N; zero; suc; + ) 


open import Data.Nat.Properties using (+-comm; +-identity’ ) 


Defining relations 


The relation less than or equal has an infinite number of in- 
stances. Here are a few of them: 


0 < 0 O<l1 O < 2 0 < 3 
1<il I <2 1 3S 

2< 2 2< 3 

3 < 3 


And yet, we can write a finite definition that encompasses all of 
these instances in just a few lines. Here is the definition as a pair 
of inference rules: 


suc m < suc n 


zen : V {n : N} 


Here z<n and s<s (with no spaces) are constructor names, 
while zero < n,and m < nand suc m < suc _n (with spa- 
ces) are types. This is our first use of an indexed datatype, where 
the type m < n is indexed by two naturals, m and n. In Agda 
any line beginning with two or more dashes is a comment, and 
here we have exploited that convention to write our Agda code 
in a form that resembles the corresponding inference rules, a 
trick we will use often from now on. 


Both definitions above tell us the same two things: 


* Base case: for all naturals n, the proposition zero < n 
holds. 

* Inductive case: for all naturals m and n, if the proposition 
m < n holds, then the proposition suc m < suc n 
holds. 


In fact, they each give us a bit more detail: 


* Base case: for all naturals n, the constructor z<n produces 
evidence that zero < n holds. 

* Inductive case: for all naturals m and n, the constructor 
s<s takes evidence that m < n holds into evidence that 
suc m < suc nholds. 


For example, here in inference rule notation is the proof that 2 


Implicit arguments 


This is our first use of implicit arguments. In the definition of in- 
equality, the two lines defining the constructors use V, very sim- 
ilar to our use of V in propositions such as: 


+-comm : V (mn: N) +>m+nz=2n¢4+mM 


However, here the declarations are surrounded by curly braces { 
} rather than parentheses ( ). This means that the arguments 
are implicit and need not be written explicitly; instead, they are 
inferred by Agda’s typechecker. Thus, we write +-comm m n for 
the proof that m + n = n + m, but z<n for the proof that 
zero <_n, leaving n implicit. Similarly, if m<n is evidence that 
m < n, we write s<s m<n for evidence that suc m < suc n, 
leaving both mand _ n implicit. 


:2s4 
sss {1} {3} (sss {0} {2} (zsn {2})) 


: 4 
= sss {m = 1} {n = 3} (sss {m = 0} {n = 2} (zsn {n = 2})) 


: 4 
= sss {n = 3} (sss {n = 2} zsn) 


It is not permitted to swap implicit arguments, even when 
named. 


+-identity"’ : V {m : N} + m+ zero=m 
+-identity"’ = +-identity" _ 


We use _ to ask Agda to infer the value of the explicit argument 
from context. There is only one value which gives us the correct 
proof, m, so Agda happily fills it in. If Agda fails to infer the 
value, it reports an error. 


Precedence 


infix 4 <=. 
We set the precedence of _<_ at level 4, so it binds less tightly 
than _+_ at level6 and hence 1 + 2 < 3 parsesas (1 + 2) 
< 3. We write infix to indicate that the operator does not as- 
sociate to either the left or right, as it makes no sense to parse 1 
< 2 < 3aseither (1 < 2) < 30r1< (2 < 3). 


Decidability 


Given two numbers, it is straightforward to compute whether or 
not the first is less than or equal to the second. We don’t give the 
code for doing so here, but will return to this point in Chapter 
Decidable. 


Inversion 


In our definitions, we go from smaller things to larger things. For 
instance, from m < n wean conclude suc m < suc Qn, 
where suc mis bigger than m (that is, the former contains the 
latter), and suc n is bigger than n. But sometimes we want to 
go from bigger things to smaller things. 


inv-sss : V {mn : N} 
> suc ms suc n 


s<s msn) = msn 


Here m<n (with no spaces) is a variable name while m < n 
(with spaces) is a type, and the latter is the type of the former. It 
is acommon convention in Agda to derive a variable name by re- 
moving spaces from its type. 


Not every rule is invertible; indeed, the rule for z<n has no non- 
implicit hypotheses, so there is nothing to invert. But often inver- 
sions of this kind hold. 


> m = zero 
inv-zsn zsn = refl 


Properties of ordering relations 


Relations pop up all the time, and mathematicians have agreed 
on names for some of the most common properties. 


* Reflexive. For all n, the relation n < n holds. 

* Transitive. For all m, n, and p, if m < nandn < p 
hold, then m < p holds. 

* Anti-symmetric. For all mand n, if both m < nand n < 
m hold, then m = n holds. 

* Total. For all mand n, either m < nor n < mholds. 


The relation _<_ satisfies all four of these properties. 


There are also names for some combinations of these properties. 


* Preorder. Any relation that is reflexive and transitive. 
* Partial order. Any preorder that is also anti-symmetric. 
* Total order. Any partial order that is also total. 


If you ever bump into a relation at a party, you now know how 
to make small talk, by asking it whether it is reflexive, transitive, 
anti-symmetric, and total. Or instead you might ask whether it is 
a preorder, partial order, or total order. 


Less frivolously, if you ever bump into a relation while reading a 


technical paper, this gives you a way to orient yourself, by 
checking whether or not it is a preorder, partial order, or total 
order. A careful author will often call out these properties—or 
their lack—for instance by saying that a newly introduced rela- 
tion is a partial order but not a total order. 


Exercise orderings (practice) 

Give an example of a preorder that is not a partial order. 
-- Your code goes here 

Give an example of a partial order that is not a total order. 


-- Your code goes here 


Reflexivity 


>nen 

s-refl {zero} = zsn 
s-refl {suc n} = sss s-refl 

The proof is a straightforward induction on the implicit argu- 
ment n. In the base case, zero < zero holds by z<n. In the 
inductive case, the inductive hypothesis <-refl {n} givesusa 
proof of n < n,and applying s<s to that yields a proof of suc 
n < suc n. 


It is a good exercise to prove reflexivity interactively in Emacs, 
using holes and the C-c C-c, C-c C-,, and C-c C-r com- 
mands. 


Transitivity 


>msp 
-trans zsn _ 
trans (sss msn) (sss nsp) 


zsn 
sss (s-trans msn nsp) 


= 
<- 


Here the proof is by induction on the evidence that m < n. In the 
base case, the first inequality holds by z<n and must show 
zero < p, which follows immediately by z<n. In this case, the 
fact that n < p is irrelevant, and we write _ as the pattern to 
indicate that the corresponding evidence is unused. 


In the inductive case, the first inequality holds by s<s m<n and 

the second inequality by s<s n<p, and so we are given suc m 
suc nand suc n < suc p,and must show suc m < suc 

. The inductive hypothesis <-trans m<n n<p establishes that 
< p, and our goal follows by applying s<s. 


3 OIA 


The case <-trans (s<s msn) z<n cannot arise, since the 
first inequality implies the middle value is suc n while the sec- 
ond inequality implies that it is zero. Agda can determine that 
such a case cannot arise, and does not require (or permit) it to be 
listed. 


>ms 
>nsp 
>msp 
<-trans’ zero _ _ zsn _ = zsn 
<-trans’ (suc m) (suc n) (suc p) (sss msn) (sss nsp) = Sss 


One might argue that this is clearer or one might argue that the 
extra length obscures the essence of the proof. We will usually 
opt for shorter proofs. 


The technique of induction on evidence that a property holds 
(e.g., inducting on evidence that m < n)—rather than induction 
on values of which the property holds (e.g., inducting on m)— 
will turn out to be immensely valuable, and one that we use of- 
ten. 


Again, it is a good exercise to prove transitivity interactively in 
Emacs, using holes and the C-c C-c, C-c C-,,and C-c C-r 


(s-trar 


commands. 
Anti-symmetry 


s-antisym : V {mn : N} 


omen 
>nem 
>men 

<-antisym zs<n zsn = refl 

<-antisym (s<s msn) (sss nsm) = cong suc (s-antisym msn nsm) 


Again, the proof is by induction over the evidence that m < n 
and n < mhold. 


In the base case, both inequalities hold by z<n, and so we are 
given zero < zeroand zero < zero and must show zero 
= zero, which follows by reflexivity. (Reflexivity of equality, 
that is, not reflexivity of inequality.) 


In the inductive case, the first inequality holds by s<s m<n and 
the second inequality holds by s<s n<m, and so we are given 
suc m < suc nand suc n < suc mand must show suc m 
= suc n. The inductive hypothesis <-antisym m<n né<m es- 
tablishes that m = n, and our goal follows by congruence. 


Exercise <-antisym-cases (practice) 


The above proof omits cases where one argument is z<n and 
one argument is s<s. Why is it ok to omit them? 


-- Your code goes here 


Total 
The fourth property to prove about comparison is that it is total: 
for any naturals mand neither m < nor n < m,or bothif m 


and n are equal. 


data Total (mn: N) : Set where 


forward : 
m<n 


~- Total mn 


flipped : 
nem 


~ Total mn 


Evidence that Total m n holds is either of the form forward 
m<n or flipped n<m, where m<n and n<m are evidence of m 
< nand n < mrespectively. 


(For those familiar with logic, the above definition could also be 
written as a disjunction. Disjunctions will be introduced in Chap- 
ter Connectives.) 


data Total’ : N-N = Set where 


forward’ : V {mn : N} 
>me<n 


~ Total’ mn 


flipped’ : V {mn : N} 
>ne<m 


~ Total’ mn 


Each parameter of the type translates as an implicit parameter of 
each constructor. Unlike an indexed datatype, where the indexes 
can vary (asin zero < nand suc m < suc n), ina parame- 
terised datatype the parameters must always be the same (as in 
Total m n). Parameterised declarations are shorter, easier to 
read, and occasionally aid Agda’s termination checker, so we will 
use them in preference to indexed types when possible. 


<-total : V (mn: N) - Total mn 

<-total zero n = forward zsn 
<-total (suc m) zero = flipped zsn 
<-total (suc m) (suc n) with s-total mn 


| forward msn 
| flipped ns=m 


forward (sss msn) 
flipped (sss nsm) 


In this case the proof is by induction over both the first and sec- 
ond arguments. We perform a case analysis: 


* First base case: If the first argument is zero and the sec- 
ond argument is n then the forward case holds, with z<n 
as evidence that zero < n. 


* Second base case: If the first argument is suc m and the 
second argument is zero then the flipped case holds, with 
z<n as evidence that zero < suc m. 


* Inductive case: If the first argument is suc m and the sec- 
ond argument is suc _ n, then the inductive hypothesis <- 
total m n establishes one of the following: 


© The forward case of the inductive hypothesis holds 
with m<n as evidence that m < n, from which it 
follows that the forward case of the proposition 
holds with s<s m<n as evidence that suc m < 
suc n. 


© The flipped case of the inductive hypothesis holds 
with n<m as evidence that n < m, from which it 
follows that the flipped case of the proposition holds 
with s<s n<mas evidence that suc n < suc m. 


This is our first use of the with clause in Agda. The keyword 
with is followed by an expression and one or more subsequent 
lines. Each line begins with an ellipsis (...) and a vertical bar 
(|), followed by a pattern to be matched against the expression 
and the right-hand side of the equation. 


-total’ : V (mn: N) = Totalmn 

“ zero n = forward zsn 

-total’ (suc m) zero flipped zsn 

otal’ (suc m) (suc n) helper (s-total’ mn) 


1 

ce ck ct ct 
fo} 
lm 
fed) 
i 
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helper : Total mn - Total (suc m) (suc n) 
helper (forward msn) = forward (sss msn) 


helper (flipped nsm) = flipped (sss nsm) 


This is also our first use of a where clause in Agda. The key- 
word where is followed by one or more definitions, which must 
be indented. Any variables bound on the left-hand side of the 
preceding equation (in this case, m and n) are in scope within 
the nested definition, and any identifiers bound in the nested def- 
inition (in this case, helper) are in scope in the right-hand side 
of the preceding equation. 


<-total” :V (mn: N) - Totalmn 

<-total” m zero = flipped zsn 
<-total” zero (suc n) = forward zsn 
<-t 


-total” (suc m) (suc n) with s-total” mn 
sa | forward msn 
| flipped n=m 


forward (sss msn) 
flipped (sss nsm) 


It differs from the original code in that it pattern matches on the 
second argument before the first argument. 


Monotonicity 


If one bumps into both an operator and an ordering at a party, 
one may ask if the operator is monotonic with regard to the or- 
dering. For example, addition is monotonic with regard to in- 
equality, meaning: 


Vimnpgq:N}+ms<sn->p<eqremtpKtcnig 


psq 
sss (+-mono'-< n p q psq) 


The proof is by induction on the first argument. 


+ Base case: The first argument is zero in which case zero 
+ p < zero + q simplifies to p < q, the evidence for 
which is given by the argument p<q. 


* Inductive case: The first argument is suc n, in which case 
suc n + p < suc n + qsimplifies to suc (n + p) 
< suc (n + q). The inductive hypothesis +-mono'-< n 
p q ps<q establishes that n + p < n + q, and our goal 
follows by applying s<s. 


>msn 
>mt+tpsn+p 
+-mono'-s mnpmsn rewrite +-comm mp | +-commnp = +-mono'-s p 


Rewriting by +-comm m pand +-comm n pconverts m + p 


<n + pinto p + m < p + n, which is proved by invoking 


+-mono’-< p mn msn. 


oms 

-~psq 

>m+t+psn+q 
+-mono-s mnpqmsn psq = s-trans (+-mono'-s mnp msn) (+-mono'- 
Invoking +-mono!-< mn p m<n proves m + p < n + pand 
invoking +-mono'-< n p q ps<q proves n + p < n+ q, 
and combining these with transitivity proves m + p < n+ q, 


as was to be shown. 

Exercise *—mono-< (stretch) 

Show that multiplication is monotonic with regard to inequality. 
-- Your code goes here 

Strict inequality 


infix 4 <_ 
data < : N-N -> Set where 


z<s_ : V {n : N} 


s<s : V {mn : N} 


> suc m < suc n 


The key difference is that zero is less than the successor of an ar- 
bitrary number, but is not less than zero. 


Clearly, strict inequality is not reflexive. However it is irreflexive 
in that n < n never holds for any value of n. Like inequality, 
strict inequality is transitive. Strict inequality is not total, but sat- 
isfies the closely related property of trichotomy: for any mand n, 
exactly one of m < n, m = n, or m > n holds (where we de- 
fine m > n to hold exactly when n < m). It is also monotonic 
with regards to addition and multiplication. 


Most of the above are considered in exercises below. Irreflexivity 
requires negation, as does the fact that the three cases in tri- 
chotomy are mutually exclusive, so those points are deferred to 
Chapter Negation. 


It is straightforward to show that suc m < nimplies m < n, 
and conversely. One can then give an alternative derivation of 
the properties of strict inequality, such as transitivity, by exploit- 
ing the corresponding properties of inequality. 


Exercise <-trans (recommended) 


Show that strict inequality is transitive. Use a direct proof. (A 
later exercise exploits the relation between < and <.) 


-- Your code goes here 


Exercise trichotomy (practice) 


Show that strict inequality satisfies a weak version of trichotomy, 
in the sense that for any m and n that one of the following 
holds: * m < n,* m = n,or* m> on. 


Define m > nto be the same as n < m. You will need a suit- 
able data declaration, similar to that used for totality. (We will 
show that the three cases are exclusive after we introduce nega- 
tion.) 


-- Your code goes here 


Exercise +—mono-< (practice) 


Show that addition is monotonic with respect to strict inequality. 
As with inequality, some additional definitions may be required. 


-- Your code goes here 


Exercise <-<, <—< (recommended) 
Show that suc m < nimplies m < n, and conversely. 


-- Your code goes here 


Exercise <-trans-revisited (practice) 
Give an alternative proof that strict inequality is transitive, using 
the relation between strict inequality and inequality and the fact 


that inequality is transitive. 


-- Your code goes here 


Even and odd 


data even : N = Set 
data odd_ : N > Set 


data even where 


even zero 


> even (suc n) 
data odd where 


suc : VW {n:: N} 
> even n 


~ odd (suc n) 


A number is even if it is zero or the successor of an odd number, 
and odd if it is the successor of an even number. 


This is our first use of a mutually recursive datatype declaration. 
Since each identifier must be defined before it is used, we first 
declare the indexed types even and odd (omitting the where 
keyword and the declarations of the constructors) and then de- 
clare the constructors (omitting the signatures N — Set which 
were given earlier). 


This is also our first use of overloaded constructors, that is, using 
the same name for constructors of different types. Here suc 
means one of three constructors: 


suc : NaN 


suc : V {n : N} 
> oddn 


> even (suc n) 


suc : V {n : N} 


Similarly, zero refers to one of two constructors. Due to how it 
does type inference, Agda does not allow overloading of defined 
names, but does allow overloading of constructors. It is recom- 
mended that one restrict overloading to related meanings, as we 


have done here, but it is not required. 


ete=e : V {mn : N} 
> even m 
> even n 


ote=o : V {mn : N} 
~ odd m 
> even n 


e+e=e zero en 
e+e=e (suc om) en 


en 
suc (0+e=0 om en) 


o+e=o0 (Suc em) en = suc (e+e=e em en) 


Corresponding to the mutually recursive types, we use two mutu- 
ally recursive functions, one to show that the sum of two even 
numbers is even, and the other to show that the sum of an odd 
and an even number is odd. 


This is our first use of mutually recursive functions. Since each 
identifier must be defined before it is used, we first give the sig- 
natures for both functions and then the equations that define 
them. 


To show that the sum of two even numbers is even, consider the 
evidence that the first number is even. If it is because it is zero, 
then the sum is even because the second number is even. If it is 
because it is the successor of an odd number, then the result is 
even because it is the successor of the sum of an odd and an even 
number, which is odd. 


To show that the sum of an odd and even number is odd, con- 
sider the evidence that the first number is odd. If it is because it 
is the successor of an even number, then the result is odd be- 
cause it is the successor of the sum of two even numbers, which 
is even. 


Exercise o+oze (stretch) 
Show that the sum of two odd numbers is even. 


-- Your code goes here 


Exercise Bin-predicates (stretch) 


Recall that Exercise Bin defines a datatype Bin of bitstrings rep- 
resenting natural numbers. Representations are not unique due to 
leading zeros. Hence, eleven may be represented by both of the 
following: 


() TOIT 
Y.OOIOTITI 


Define a predicate 
Can : Bin > Set 


over all bitstrings that holds if the bitstring is canonical, meaning 
it has no leading zeros; the first representation of eleven above is 
canonical, and the second is not. To define it, you will need an 
auxiliary predicate 


One : Bin > Set 


that holds only if the bitstring has a leading one. A bitstring is 
canonical if it has a leading one (representing a positive number) 
or if it consists of a single zero (representing zero). 


Show that increment preserves canonical bitstrings: 


Can b 


Can (inc b) 


Show that converting a natural to a bitstring always yields a 
canonical bitstring: 


Can (to n) 


Show that converting a canonical bitstring to a natural and back 
is the identity: 


Can b 


to (from b) =b 


(Hint: For each of these, you may first need to prove related 
properties of One. Also, you may need to prove that if One b 
then 1 is less or equal to the result of from b.) 


-- Your code goes here 


Standard library 


import Data.Nat using (_s ; zsn; sss) 


import Data.Nat.Properties using (s-refl; <-trans; <-antisym; <-tote 
+-mono"-<; +-mono'-s; +-mono-<) 


In the standard library, <-total is formalised in terms of dis- 
junction (which we define in Chapter Connectives), and +- 
mono'-<, +-mono!-<, +-mono-< are proved differently than 
here, and more arguments are implicit. 


Unicode 


This chapter uses the following unicode: 


U+2264 LESS-THAN OR EQUAL TO (\<=, \le) 
U+2265 GREATER-THAN OR EQUAL TO (\>=, \ge) 
U+02E1 MODIFIER LETTER SMALL L (\%1) 

r U+02B3 MODIFIER LETTER SMALL R (\%*r) 


“MIA 


The commands \*1 and \%*r give access to a variety of super- 
script leftward and rightward arrows in addition to superscript 
letters 1 and r. 


We declare equality as follows: We declare the precedence of 
equality as follows: An equivalence relation is one which is re- 
flexive, symmetric, and transitive. Reflexivity is built-in to the 
definition of equality, via the constructor ref1. It is straightfor- 
ward to show symmetry: Transitivity is equally straightforward: 
Equality satisfies congruence. If two terms are equal, they remain 
so after the same function is applied to both:Congruence of func- 
tions with two arguments is similar:Equality is also a congruence 
in the function position of an application. If two functions are 
equal, then applying them to the same term yields equal 
terms:Equality also satisfies substitution. If two values are equal 
and a predicate holds of the first then it also holds of the second: 
Here we show how to support reasoning with chains of equa- 
tions, as used throughout the book. We package the declarations 
into a module, named =-Reasoning, to match the format used 
in Agda’s standard library: As an example, let’s look at a proof of 
transitivity as a chain of equations: As a second example of 
chains of equations, we repeat the proof that addition is commu- 
tative. We first repeat the definitions of naturals and addition. 
We cannot import them because (as noted at the beginning of 
this chapter) it would cause a conflict:To save space we postulate 
(rather than prove in full) two lemmas: We then repeat the proof 
of commutativity: Consider a property of natural numbers, such 
as being even. We repeat the earlier definition: Agda includes 
special notation to support just this kind of reasoning, the 
rewrite notation we encountered earlier. To enable this nota- 
tion, we use pragmas to tell Agda which type corresponds to 
equality:We can then prove the desired property as follows: One 
may perform multiple rewrites, each separated by a vertical bar. 
For instance, here is a second proof that addition is commutative, 
relying on rewrites rather than chains of equalities: The 
rewrite notation is in fact shorthand for an appropriate use of 
with abstraction: In this case, we can avoid rewrite by simply 
applying the substitution function defined earlier: Let x and y 
be objects of type A. We say that x = y holds if for every pred- 
icate P over type A we have that P x implies P y: Leibniz 
equality is reflexive and transitive, where the first follows by a 
variant of the identity function and the second by a variant of 
function composition:Symmetry is less obvious. We have to show 


that if P x implies P y for all predicates P, then the implica- 
tion holds the other way round as well: We now show that Mar- 
tin-L6f equality implies Leibniz equality, and vice versa. In the 
forward direction, if we know x = y we need for any P to take 
evidence of P x to evidence of P y, which is easy since equal- 
ity of x and y implies that any proof of P x is also a proof of 
P y: In the reverse direction, given that for any P we can take a 
proof of P x toa proof of P y we need to show x = y: The 
answer is universe polymorphism, where a definition is made with 
respect to an arbitrary level ¢. To make use of levels, we first 
import the following: Here is the definition of equality, gener- 
alised to an arbitrary level:Similarly, here is the generalised defi- 
nition of symmetry: Here is the generalised definition of Leibniz 
equality: Most other functions in the standard library are also 
generalised to arbitrary levels. For instance, here is the definition 
of composition. Definitions similar to those in this chapter can be 
found in the standard library. The Agda standard library defines 
_=(_)_ as step-=, which reverses the order of the arguments. 
The standard library also defines a syntax macro, which is auto- 
matically imported whenever you import step-=, which recov- 
ers the original argument order: 


Equality: Equality and equational rea- 
soning 


module plfa.partl.Equality where 


Much of our reasoning has involved equality. Given two terms M 
and N, both of type A, we write M = N to assert that Mand N 
are interchangeable. So far we have treated equality as a primi- 
tive, here we show how to define it as an inductive datatype. 


Imports 


This chapter has no imports. Every chapter in this book, and 
nearly every module in the Agda standard library, imports equal- 
ity. Since we define equality here, any import would create a 
conflict. 


Equality 


data = {A : Set} (x : A) : A > Set where 


refl : x =x 


In other words, for any type A and for any x of type A, the con- 
structor refl provides evidence that x = x. Hence, every 
value is equal to itself, and we have no other way of showing 
values equal. The definition features an asymmetry, in that the 
first argument to _=_ is given by the parameter x : A, while 
the second is given by an index in A - Set. This follows our 
policy of using parameters wherever possible. The first argument 
to _= can be a parameter because it doesn’t vary, while the 
second must be an index, so it can be required to be equal to the 
first. 


infix 4 = 


We set the precedence of _=_ at level 4, the same as _< , 
which means it binds less tightly than any arithmetic operator. It 
associates neither to left nor right; writing x = y = z is illegal. 
Equality is an equivalence relation 


sym : V {A : Set} {x y : A} 


> X y 
-y=x 
sym refl = refl 


How does this proof work? The argument to sym has type x = 
y, but on the left-hand side of the equation the argument has 
been instantiated to the pattern refl, which requires that x 
and y are the same. Hence, for the right-hand side of the equa- 
tion we need a term of type x = x, and refl will do. 


It is instructive to develop sym interactively. To start, we supply 
a variable for the argument on the left, and a hole for the body 
on the right: 


y 
> y=x 
syme = {! !} 


If we go into the hole and type C-c cC-, then Agda reports: 


Goal: .y = .x 
e KS ay 
-y A 
~xX oA 
A Set 


If in the hole we type C-c C-c e then Agda will instantiate e 
to all possible constructors, with one equation for each. There is 
only one possible constructor: 


sym : V {A : Set} {x y : A} 


> y =x 
sym refl = {! !} 


If we go into the hole again and type C-c c-, then Agda now 
reports: 


Goal: .x = .x 
x A 
A Set 


This is the key step—Agda has worked out that x and y must be 
the same to match the pattern ref1! 


Finally, if we go back into the hole and type C-c C-r it will in- 
stantiate the hole with the one constructor that yields a value of 
the expected type: 


> y=x 
sym refl = refl 


This completes the definition as given above. 


trans : V {A :: Set} {x yz: A} 


-X=Yy 
-y=zz 
> X=2 

trans refl refl = refl 


Again, a useful exercise is to carry out an interactive develop- 
ment, checking how Agda’s knowledge changes as each of the 
two arguments is instantiated. 


Congruence and substitution 


cong : V {AB: Set} (f : A> B) {x y: A} 
-X=Yy 


~fxe=fy 
cong f refl = refl 


congz : V {ABC: Set} (f : A+>B-C) {ux: A} {vy : B} 
>u=xX 


uv=fxy 
congz f refl refl = refl 


cong-app : V {AB : Set} {f g : A - B} 
+ f= 
~ V(x :A)-f x 
cong-app refl x = re 


+ Ill 
co 


subst : V {A : Set} {x y : A} (P_: A > Set) 
>XE=Y 


>~Px-Py 
subst P refl px = px 


A predicate is a proposition over values of some type A, and 
since we model propositions as types, a predicate is a type parame- 
terized in A. As an example, consider our earlier examples even 
and odd from Chapter Relations, which are predicates on natu- 
ral numbers N. (We will compare representing predicates as in- 
ductive data types A > Set versus functions to booleans A = 
Bool in Chapter Decidable.) 


Chains of equations 


module =-Reasoning {A : Set} where 


infix 1 begin_ 
infixr 2 =() =) 


infix 3 8 


begin :V{xy: A} 


27 X= Y 
"7 X=Y 
begin x=y = x= 
=()_ : V (xs A) fy : A} 
27 X= Y 
7 X= Y 
xX =() xey = Xe 
—=(_) : V (x: A) fy z: A} 
- X= Y 
>y=z 
~ X=Z 
x =( xey ) y=z = trans x=y y=z 
om: V(x: A) 


open =-Reasoning 


This is our first use of a nested module. It consists of the keyword 
module followed by the module name and any parameters, ex- 
plicit or implicit, the keyword where, and the contents of the 
module indented. Modules may contain any sort of declaration, 
including other nested modules. Nested modules are similar to 
the top-level modules that constitute each chapter of this book, 
save that the body of a top-level module need not be indented. 
Opening the module makes all of the definitions available in the 
current environment. 


trans’ : V {A : Set} {x y z : A} 
y 


N 


> X= 


Z 
trans’ {A} {x} {y} {Zz} xey y=z = 
begin 


According to the fixity declarations, the body parses as follows: 
begin (x =( #=y ) (y =C y=z) (2 -8))) 


The application of begin is purely cosmetic, as it simply returns 
its argument. That argument consists of _=(_)_ applied to x, 
x=y, and y =( y=z ) (z &i). The first argument is a term, x, 
while the second and third arguments are both proofs of equa- 
tions, in particular proofs of x = y and y = z respectively, 
which are combined by trans in the body of _=(_) to yielda 
proof of x = z. The proof of y = z consists of _=(_) applied 
to y, y=z, and z HE. The first argument is a term, y, while the 
second and third arguments are both proofs of equations, in par- 
ticular proofs of y = z and z = z respectively, which are 
combined by trans in the body of _=(_)_ to yielda proof of y 
= z. Finally, the proof of z = z consists of _f applied to the 


term z, which yields refl. After simplification, the body is 
equivalent to the term: 


trans x=y (trans y=z refl) 


We could replace any use of a chain of equations by a chain of 
applications of trans; the result would be more compact but 
harder to read. The trick behind HM means that a chain of equali- 
ties simplifies to a chain of applications of trans that ends in 
trans e refl, where e is a term that proves some equality, 
even though e alone would do. 


Exercise trans and =—-Reasoning (practice) 


Sadly, we cannot use the definition of trans’ using =-Reasoning 
as the definition for trans. Can you see why? (Hint: look at the 
definition of _=(_)_) 


-- Your code goes here 


Chains of equations, another example 


data N : Set where 
zero : N 
suc :N-N 


+ :N3ON-N 


zero +n 
(suc m) +n 


postulate 
+-identity : V (m: N) > m+ zero =m 
+-suc : V (mn: N) > m+ suc n = suc (m+n) 


This is our first use of a postulate. A postulate specifies a signa- 
ture for an identifier but no definition. Here we postulate some- 
thing proved earlier to save space. Postulates must be used with 
caution. If we postulate something false then we could use Agda 
to prove anything whatsoever. 


+-comm : V (mn: N) >m+n2n+M 
+-comm m zero = 
begin 
m + zero 
=( +-identity m }) 


zero + m 


+-comm m (suc n) = 


suc (m + n) 

=( cong suc (+-comm mn) ) 
suc (n + m) 

=() 


suc n +m 


The reasoning here is similar to that in the preceding section. We 
use _=() when no justification is required. One can think of 
_=()_ as equivalent to _=({ refl )_. 


Agda always treats a term as equivalent to its simplified term. 
The reason that one can write 


suc (n + m) 
=() 


suc n +m 


is because Agda treats both terms as the same. This also means 
that one could instead interchange the lines and write 


suc n +m 
=() 


suc (n + m) 


and Agda would not object. Agda only checks that the terms sep- 
arated by =() have the same simplified form; it’s up to us to 
write them in an order that will make sense to the reader. 


Exercise <-Reasoning (stretch) 


The proof of monotonicity from Chapter Relations can be written 
in a more readable form by using an analogue of our notation for 
=—-Reasoning. Define <-Reasoning analogously, and use it to 
write out an alternative proof that addition is monotonic with re- 
gard to inequality. Rewrite all of +-mono!-<, +-mono'-<, and 
+-mono-<. 


-- Your code goes here 
Rewriting 


data even : N = Set 
data odd_ : N => Set 


data even where 
even-zero : even zero 


even-suc : V {n : N} 
~ odd n 


> even (suc n) 


data odd where 
odd-suc : V {n : N} 
> even n 


~ odd (suc n) 


In the previous section, we proved addition is commutative. 
Given evidence that even (m + n) holds, we ought also to be 
able to take that as evidence that even (n + m) holds. 


{-# BUILTIN EQUALITY = #-} 


> even (m +n) 


> even (n + m) 
even-comm mn ev rewrite +-commnm = ev 


Here ev ranges over evidence that even (m + n) holds, and 


we show that it also provides evidence that even (n + m) 
holds. In general, the keyword rewrite is followed by evidence 
of an equality, and that equality is used to rewrite the type of the 
goal and of any variable in scope. 


It is instructive to develop even-comm interactively. To start, 
we supply variables for the arguments on the left, and a hole for 
the body on the right: 


even-comm : V (mn: N) 
> even (m + n) 


> even (n + m) 
even-comm mn ev = {! !} 


If we go into the hole and type C-c cC-, then Agda reports: 


Goal: even (n + m) 


ev : even (m + n) 
n : N 
m : N 


Now we add the rewrite: 


even-comm : V (mn: N) 
> even (m + n) 


> even (n + m) 
even-comm mn ev rewrite +-comm nm = {! !} 


If we go into the hole again and type C-c c-, then Agda now 
reports: 


Goal: even (m + n) 


ev : even (m + n) 
n :N 
m : N 


The arguments have been swapped in the goal. Now it is trivial 


to see that ev satisfies the goal, and typing C-c C-a in the 
hole causes it to be filled with ev. The command C-c C~a per- 
forms an automated search, including checking whether a vari- 
able in scope has the same type as the goal. 


Multiple rewrites 


+-comm’ : V (mn: N) >m+n=n+mMm 
+-comm’ zero n rewrite +-identity n 
+-comm’ (suc m) n_ rewrite +-suc nm | +-comm’ mn 


refl 
refl 


This is far more compact. Among other things, whereas the pre- 
vious proof required cong suc (+-comm m n) as the justifi- 
cation to invoke the inductive hypothesis, here it is sufficient to 
rewrite with +—comm m n, as rewriting automatically takes con- 
gruence into account. Although proofs with rewriting are shorter, 
proofs as chains of equalities are easier to follow, and we will 
stick with the latter when feasible. 


Rewriting expanded 


even-comm’ : V (mn: N) 
> even (m+n) 


> even (n + m) 
even-comm’ mn ev with m+n | +-commmn 
| .(n +m) | refl = ev 


In general, one can follow with by any number of expressions, 
separated by bars, where each following equation has the same 
number of patterns. We often write expressions and the corre- 
sponding patterns so they line up in columns, as above. Here the 
first column asserts that m + n and n + mare identical, and 
the second column justifies that assertion with evidence of the 
appropriate equality. Note also the use of the dot pattern, .(n + 
m). A dot pattern consists of a dot followed by an expression, 
and is used when other information forces the value matched to 
be equal to the value of the expression in the dot pattern. In this 
case, the identification of m + nand n + mis justified by the 
subsequent matching of +—-comm m n against refl. One might 


think that the first clause is redundant as the information is in- 
herent in the second clause, but in fact Agda is rather picky on 
this point: omitting the first clause or reversing the order of the 
clauses will cause Agda to report an error. (Try it and see!) 


even-comm” : V (mn: N) 
> even (m +n) 


> even (n + m) 
even-comm” mn = subst even (+-comm m n) 


Nonetheless, rewrite is a vital part of the Agda toolkit. We will 
use it sparingly, but it is occasionally essential. 


Leibniz equality 


The form of asserting equality that we have used is due to Mar- 
tin-Lof, and was published in 1975. An older form is due to Leib- 
niz, and was published in 1686. Leibniz asserted the identity of 
indiscernibles: two objects are equal if and only if they satisfy the 
same properties. This principle sometimes goes by the name 
Leibniz’ Law, and is closely related to Spock’s Law, “A difference 
that makes no difference is no difference”. Here we define Leib- 
niz equality, and show that two terms satisfy Leibniz equality if 
and only if they satisfy Martin-Lof equality. 


Leibniz equality is usually formalised to state that x = y holds 
if every property P that holds of x also holds of y. Perhaps sur- 
prisingly, this definition is sufficient to also ensure the converse, 
that every property P that holds of y also holds of x. 


t} (x : A) = Seti 
(P : A > Set) ~Px-Py 


We cannot write the left-hand side of the equation as x = y, 
and instead we write _=_ {A} x y to provide access to the im- 
plicit parameter A which appears on the right-hand side. 


This is our first use of levels. We cannot assign Set the type 
Set, since this would lead to contradictions such as Russell’s 


Paradox and Girard’s Paradox. Instead, there is a hierarchy of 


types, where Set : Seti, Seti : Setz2, and so on. In fact, 
Set itself is just an abbreviation for Seto. Since the equation 
defining _= mentions Set on the right-hand side, the corre- 


sponding signature must use Set . We say a bit more about lev- 
els below. 


refl-= : V {A : Set} {x : A} 
>X =x 
refl-= P Px = Px 


: V {A : Set} {x y z: A} 


trans-= x+y y+z P Px = yz P (x+y P Px) 


sym-= : V {A : Set} {x y : A} 


ad X 
sym-= {A} {x} {y} x#y P = Qy 


where 
Q:A- Set 
Qz=Pz-Px 
Qx :Qx 
Qx = refl-= P 
Qy:Qy 
Qy = x#y Q Qx 


Given x = y,a specific P, we have to construct a proof that P 
y implies P x. To do so, we instantiate the equality with a pred- 
icate Q such that Q z holdsif P z implies P x. The property 
Q x is trivial by reflexivity, and hence Q y follows from x = 
y. But Q y is exactly a proof of what we require, that P y im- 
plies P x. 


=-implies-= : V {A : Set} {x y : A} 
-X=Yy 
>-xX=y 

=-implies-+ x=y P = subst P x=y 


This direction follows from substitution, which we showed ear- 
lier. 


+-implies-= : V {A : Set} {x y : A} 
>-xX=y 


> XE= 
+-implies-= {A} {x} {y} x#y = Qy 
where 
Q:A- Set 
Qz=x=zZ 
Qx :Qx 
Qx = refl 
Q:Qy 
Qy = x#y Q Qx 


The proof is similar to that for symmetry of Leibniz equality. We 
take Q to be the predicate that holds of zif x = z. Then Q x 
is trivial by reflexivity of Martin-Lof equality, and hence Q y 
follows from x = y. But Q y is exactly a proof of what we re- 
quire, that x = y. 

(Parts of this section are adapted from ===: Leibniz Equality is 
Isomorphic to Martin-L6of Identity, Parametrically, by Andreas Abel, 
Jesper Cockx, Dominique Devries, Andreas Nuyts, and Philip 
Wadler, draft, 2017.) 


Universe polymorphism 


As we have seen, not every type belongs to Set, but instead ev- 
ery type belongs somewhere in the hierarchy Seto, Seti, 
Set2, and so on, where Set abbreviates Seto, and Seto 
Seti, Seti : Setz, and so on. The definition of equality given 
above is fine if we want to compare two values of a type that be- 
longs to Set, but what if we want to compare two values of a 
type that belongs to Set ?¢ for some arbitrary level ?? 


open import Level using (Level; LU) renaming (zero to lzero; suc tc 


We rename constructors zero and sucto lzero and lsuc to 
avoid confusion between levels and naturals. 


Levels are isomorphic to natural numbers, and have similar con- 
structors: 


lzero : Level 
lsuc : Level - Level 


The names Seto, Seti, Setz2, and so on, are abbreviations for 


Set lzero 
Set (lsuc l1zero) 
Set (lsuc (lsuc 1zero)) 


and so on. There is also an operator 


U : Level > Level - Level 


that given two levels returns the larger of the two. 


data =’ {@: Level} {A : Set 2} (x : A) : A > Set 2 where 


refl’ : x =’ x 


sym’ : V {2 : Level} {A : Set 2} {x y : A} 


>y = x 
sym’ refl’ = refl’ 


For simplicity, we avoid universe polymorphism in the defini- 
tions given in the text, but most definitions in the standard li- 
brary, including those for equality, are generalised to arbitrary 
levels as above. 


= : V {@ : Level} {A : Set 2} (x y : A) > Set (lsuc 2) 
_=_ {@} {A} x y=V (P: A> Set 2) >Px->Py 


Before the signature used Seti as the type of a term that in- 
cludes Set, whereas here the signature uses Set (lsuc f) as 
the type of a term that includes Set ?. 


o 6: VW {@1 2 @3 : Level} {A : Set 21} {B : Set 22} {C : Set Q3} 


~- (B= C) - (A= B) = ASC 


(g° f) x = g (f x) 
Further information on levels can be found in the Agda docs. 
Standard library 


-- import Relation.Binary.PropositionalEquality as Eq 
-- open Eq using ( = ; refl; trans; sym; cong; cong-app; subst) 


-- open Eq.=-Reasoning using (begin ; =() ; step-=; #) 


Here the imports are shown as comments rather than code to 
avoid collisions, as mentioned in the introduction. 


Unicode 
This chapter uses the following unicode: 


U+2261 IDENTICAL TO (\==, \equiv) 

U+27E8 MATHEMATICAL LEFT ANGLE BRACKET (\<) 
U+27E9 MATHEMATICAL RIGHT ANGLE BRACKET (\>) 
U+220E END OF PROOF (\qed) 

U+2250 APPROACHES THE LIMIT (\.=) 

U+2113 SCRIPT SMALL L (\ell) 

U+2294 SQUARE CUP (\lub) 

U+2080 SUBSCRIPT ZERO (\_0) 

U+2081 SUBSCRIPT ONE (\_1) 

U+2082 SUBSCRIPT TWO (\_2) 


i ee ie ||| 


In what follows, we will make use of function composition:Thus, 
g ° £ is the function that first applies f£ and then applies g. An 
equivalent definition, exploiting lambda expressions, is as fol- 
lows: Agda does not presume extensionality, but we can postu- 
late that it holds: As an example, consider that we need results 
from two libraries, one where addition is defined, as in Chapter 
Naturals, and one where it is defined the other way around.Ap- 
plying commutativity, it is easy to show that both operators al- 
ways return the same result given the same arguments:However, 
it might be convenient to assert that the two operators are actu- 
ally indistinguishable. This we can do via two applications of ex- 
tensionality: More generally, we may wish to postulate exten- 
sionality for dependent functions. Two sets are isomorphic if they 
are in one-to-one correspondence. Here is a formal definition of 
isomorphism: The above is our first use of records. A record dec- 
laration behaves similar to a single-constructor data declaration 
(there are minor differences, which we discuss in Connectives): 
Isomorphism is an equivalence, meaning that it is reflexive, sym- 
metric, and transitive. To show isomorphism is reflexive, we take 
both to and from to be the identity function: To show isomor- 
phism is symmetric, we simply swap the roles of to and fron, 
and frometo and toefrom:To show isomorphism is transitive, 
we compose the to and from functions, and use equational 
reasoning to combine the inverses: Here is the formal definition 
of embedding: Embedding is reflexive and transitive, but not 
symmetric. The proofs are cut down versions of the similar 
proofs for isomorphism:It is also easy to see that if two types em- 
bed in each other, and the embedding functions correspond, then 
they are isomorphic. This is a weak form of anti-symmetry: Show 
that every isomorphism implies an embedding. Define equiva- 
lence of propositions (also known as “if and only if”) as follows: 
Using the above, establish that there is an embedding of N into 
Bin. Definitions similar to those in this chapter can be found in 
the standard library: 


Isomorphism: Isomorphism and Embed- 
ding 


module plfa.partl.Isomorphism where 


This section introduces isomorphism as a way of asserting that 
two types are equal, and embedding as a way of asserting that 
one type is smaller than another. We apply isomorphisms in the 
next chapter to demonstrate that operations on types such as 
product and sum satisfy properties akin to associativity, commu- 
tativity, and distributivity. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 
open Eq using ( = ; refl; cong; cong-app) 

open Eq.=-Reasoning 

open import Data.Nat using (N; zero; suc; + _) 


open import Data.Nat.Properties using (+-comm) 


Lambda expressions 


The chapter begins with a few preliminaries that will be useful 
here and elsewhere: lambda expressions, function composition, 
and extensionality. 


Lambda expressions provide a compact way to define functions 
without naming them. A term of the form 


A{ Pi > Niaz ** 7 Pn > Nn } 

is equivalent to a function £ defined by the equations 
f Pi = ™M 

£ Py = Na 


where the Pn are patterns (left-hand sides of an equation) and 
the Ny are expressions (right-hand side of an equation). 


In the case that there is one equation and the pattern is a vari- 
able, we may also use the syntax 


A xoN 


or 
A (x : A) oN 


both of which are equivalent to A{x > N}. The latter allows 
one to specify the domain of the function. 


Often using an anonymous lambda expression is more convenient 
than using a named function: it avoids a lengthy type declara- 
tion; and the definition appears exactly where the function is 
used, so there is no need for the writer to remember to declare it 
in advance, or for the reader to search for the definition in the 
code. 


Function composition 


C : Set} - (B => C) - (A= 8B) = (A= C) 
g (f x) 


oe’ : WV {ABC : Set} - (B > C) > (A> 8B) = (A = C) 
go’ f = Ax-g (Ff x) 


Extensionality 


Extensionality asserts that the only way to distinguish functions 
is by applying them; if two functions applied to the same argu- 
ment always yield the same result, then they are the same func- 
tion. It is the converse of cong-app, as introduced earlier. 


postulate 
extensionality : V {AB : Set} {f g : A = B} 
> (V (x: A) > f x =g x) 


Postulating extensionality does not lead to difficulties, as it is 
known to be consistent with the theory that underlies Agda. 


+7 :NSON-N 


m+’ zero =m 


m+’ suc n suc (m +’ n) 


same-app : V (mn: N) >m+’ neme+n 
same-app mn rewrite +-comm mn = helper mn 
where 
helper : V (mn :N) >m+’ nen+m 


refl 
cong suc (helper m n) 


helper m zero 
helper m (suc n) 


Same : +° = + 


same = extensionality (A m > extensionality (A n > same-app m n)) 
We occasionally need to postulate extensionality in what follows. 


postulate 
V-extensionality : V {A : Set} {B : A > Set} {f g : V(x : A) > B x 
> (VW (x : A) = f x Sg x) 


Here the type of £ and g has changed from A > Bto V (x 
A) > B x, generalising ordinary functions to dependent func- 
tions. 


Isomorphism 
infix @ = 
record = (AB: Set) : Set where 
field 
to >: A-B 
from: BoA 
frometo : V (x : A) = from (to x) = x 
tocfrom : V (y : B) - to (from y) = y 
open = 


Let’s unpack the definition. An isomorphism between sets A and 
B consists of four things: 


1. A function to from Ato B, 
2. A function from from B back to A, 
3. Evidence frometo asserting that from is a left-inverse for 


Oy 
4. Evidence toefrom asserting that from is a right-inverse 


for to. 


In particular, the third asserts that from ° to is the identity, 
and the fourth that to ° from is the identity, hence the names. 
The declaration open _=_ makes available the names to, 
from, frometo, and toefrom, otherwise we would need to 
write _=_.to and so on. 


data =’ (AB: Set): Set where 
“+ ¥ (to : A-B) = 
Y (from : B= A) = 
Y (frometo : (V (x : A) = from (to x) 
V ( 
A= 


moll 
< x 


tocfrom : (V (y : B) = to (from y) 
to’ : V {AB : Set} - (A =’ B) = (A => B) 
“ (mk-=" f 


from’ : V {AB : Set} = (A =’ B) = (B = A) 
from’ (mk-=’ f g gof feg) =g 


fromceto’ : V 
fromceto’ (mk-=’ 


Rods 
> 
+> © 
io) 
oO 
rk 
a 
JL 
S 
R 
> 
R 
ive) 
L 
=< 


tocfrom’ : V 
tocofrom’ (mk-=’ 


Rod 
> 
+> © 
wn 
oO 
rk 
Ww 
JL 
> 
R 
> 
R 
is) 
4 
= 


We construct values of the record type with the syntax 


record 
{ to =f 
; from =gQg 
; frometo = gf 
; toefrom = f°g 


which corresponds to using the constructor of the corresponding 
inductive type 


mk-='’ £ g gef f°g 


(x : A) = from’ A=B ( 


(y : B) = to’ AsB (fr 


where f, g, gf, and feg are values of suitable types. 


Isomorphism is an equivalence 


=-refl : V {A : Set} 


>A=A 
=-refl = 
record 
{ to = A{x > x} 
: from = A{y > y} 
: frometo = A{x > refl} 
; toofrom = Af{y > refl} 
} 


In the above, to and from are both bound to identity func- 
tions, and frometo and toefrom are both bound to functions 
that discard their argument and return ref1. In this case, refl 
alone is an adequate proof since for the left inverse, from (to 


x) simplifies to x, and similarly for the right inverse. 


=-sym : V {AB : Set} 


-A=B 
-B=A 
=-sym A=B = 
record 
{ to = from A=B 
: from = to AsB 
: frometo = tocfrom A=B 
: toofrom = frometo A=B 
} 
=-trans : V {A BC: Set} 
-~A=B 
~B=C 
~A=C 
=-trans A=B B=C = 
record 
{ to = to BeC o to’ AsB 
: from = from A=B ° from B=C 
: frometo = A{x > 


begin 
(from A=B o from B=C) ((to B=C © to A=B) x) 


from A=B (from B=C (to B=C (to A=B x))) 

=( cong (from A=B) (frometo B=C (to A=B x)) } 
from A=B (to A=B x) 

=( frometo AsB x ) 
x 

a} 

; tocfrom = Af{y > 

begin 

(to B=C © to A=B) ((from A=B o from BeC) y) 


to B=C (to A=B (from A=B (from BsC y))) 

=( cong (to B=C) (toefrom A=B (from BeC y)) ) 
to B=C (from BsC y) 

=( toefrom BC y ) 
y 

a} 


Equational reasoning for isomorphism 


It is straightforward to support a variant of equational reasoning 
for isomorphism. We essentially copy the previous definition of 
equality for isomorphism. We omit the form that corresponds to 
_=()_, since trivial isomorphisms arise far less often than trivial 
equalities: 


module =-Reasoning where 
infix 1 =-begin_ 
infixr 2 =( )_ 
infix 3 =-t 
=-begin. : V {AB : Set} 
-A=B 


- A=B 
=(_) : V (A: Set) {BC : Set} 


A =( A=B ) B=C = =-trans A=B B=C 


=-8 : V (A: Set) 


open ~-Reasoning 


Embedding 


We also need the notion of embedding, which is a weakening of 
isomorphism. While an isomorphism shows that two types are in 
one-to-one correspondence, an embedding shows that the first 
type is included in the second; or, equivalently, that there is a 
many-to-one correspondence between the second type and the 
first. 


infix 0 s_ 
record s (AB: Set) : Set where 
field 
to A 
from : B 
frometo : V 
open s_ 


B 
A 
x : A) ~ from (to x) =x 


aloe 


It is the same as an isomorphism, save that it lacks the toefrom 
field. Hence, we know that from is left-inverse to to, but not 
that from is right-inverse to to. 


s-refl : V {A : Set} -ASA 
s-refl = 
record 

{ to = A{x > x} 

; from = A{y > y} 

; frometo = A{x > refl} 

} 
s-trans : V{ABC: Set} -AsSBSOBsCHASC 
s-trans AsB BsC = 


{ to = A{x = to BsC (to  AsB x)} 


; from = A{y > from AsB (from BsC y)} 
: frometo = A{x > 
begin 


from AsB (from BsC (to BsC (to AsB x))) 

=( cong (from AsB) (frometo BsC (to AsB x)) ) 
from AsB (to AsB x) 

=( frometo AsB x ) 


x 
a} 
} 
s-antisym : V {AB : Set} 
~ (AsB : A sB) 
~ (BSA : Bs A) 
> (to AsB = from BsA) 
~ (from AsB = to BsA) 
-~A=B 
s-antisym AsB BsA to=from from=to = 
record 
{ to = to AsB 
: from = from AsB 
; frometo = frometo AsB 
; tocfrom = Af{y - 
begin 


to AsB (from AsB y) 
=( cong (to AsB) (cong-app from=to y) } 
to AsB (to BsA y) 
{( cong-app to=from (to BsA y) ) 
from BsA (to BsA y) 
=( frometo BsA y ) 
y 
a} 


The first three components are copied from the embedding, 
while the last combines the left inverse of B < A with the 
equivalences of the to and from components from the two em- 
beddings to obtain the right inverse of the isomorphism. 


Equational reasoning for embedding 


We can also support tabular reasoning for embedding, analogous 
to that used for isomorphism: 


module s-Reasoning where 


infixr 2 s{_ 
infix 3 s-t 


infix 1 s-begin_ 
( 


s-begin : V {AB : Set} 
-AsB 


-~AsB 


s( ) : V (A: Set) {B C : Set} 


A s( AsB ) BsC = s-trans AsB BsC 


_s-§ : V (A: Set) 


open s-Reasoning 
Exercise =~-implies-—< (practice) 


postulate 
=-implies-s : V {AB : Set} 
»>A=B 


-- Your code goes here 
Exercise _@_ (practice) 


record # (AB: Set) : Set where 
field 


Show that equivalence is reflexive, symmetric, and transitive. 


-- Your code goes here 


Exercise Bin-embedding (stretch) 


Recall that Exercises Bin and Bin-laws define a datatype Bin of 
bitstrings representing natural numbers, and asks you to define 
the following functions and predicates: 


to : N = Bin 
from : Bin -N 


which satisfy the following property: 


from (to n) =n 
-- Your code goes here 
Why do to and from not form an isomorphism? 


Standard library 


import Function using ( ° ) 
import Function.Inverse using ( + _) 
import Function.LeftInverse using ( « ) 


The standard library _»+ _ and _« _ correspond to our _=_ 
and _<_, respectively, but those in the standard library are less 
convenient, since they depend on a nested record structure and 
are parameterised with regard to an arbitrary notion of equiva- 
lence. 


Unicode 


This chapter uses the following unicode: 


° U+2218 RING OPERATOR (\o, \circ, \comp) 
aN U+03BB GREEK SMALL LETTER LAMBDA (\lambda, 
\G1) 


qu R 


U+2243 
U+2272 
U+21D4 


ASYMPTOTICALLY EQUAL TO (\~-) 
LESS-THAN OR EQUIVALENT TO (\<~) 
LEFT RIGHT DOUBLE ARROW (\<=>) 


Given two propositions A and B, the conjunction A x B holds 
if both A holds and B holds. We formalise this idea by declaring 
a suitable datatype: Given evidence that A x B holds, we can 
conclude that both A holds and B holds: In this case, applying 
each destructor and reassembling the results with the constructor 
is the identity over products: We set the precedence of conjunc- 
tion so that it binds less tightly than anything save disjunction: 
Alternatively, we can declare conjunction as a record type: The 
data type _x_ and the record type _x’_ behave similarly. One 
difference is that for data types we have to prove n-equality, but 
for record types, n-equality holds by definition. While proving n- 
x’, we do not have to pattern match on w to know that n-equal- 
ity holds: Given two types A and B, werefer to A x Bas the 
product of A and B. In set theory, it is also sometimes called the 
Cartesian product, and in computing it corresponds to a record 
type. Among other reasons for calling it the product, note that if 
type A has m distinct members, and type B has n distinct mem- 
bers, then the type A x Bhas m * n distinct members. For in- 
stance, consider a type Bool with two members, and a type 
Tri with three members: For example, the following function 
enumerates all possible arguments of type Bool x Tri: For 
commutativity, the to function swaps a pair, taking ( x , y ) 
to ( y , x ), andthe from function does the same (up to re- 
naming). Instantiating the patterns correctly in frometo and 
toefrom is essential. Replacing the definition of frometo by A 
w —> refl will not work; and similarly for toefrom: For asso- 
ciativity, the to function reassociates two uses of pairing, taking 
(x, y), z)to{ x, (yy, z) ), andthe from 
function does the inverse. Again, the evidence of left and right 
inverse requires matching against a suitable pattern to enable 
simplification: Truth T always holds. We formalise this idea by 
declaring a suitable datatype: The nullary case of n-~x is n-T, 
which asserts that any value of type T must be equal to tt: Al- 
ternatively, we can declare truth as an empty record: As with the 
product, the data type T and the record type T’ behave simi- 
larly, but n-equality holds by definition for the record type. While 
proving n-T’, we do not have to pattern match on w—Agda 
knows it is equal to tt ’:Agda knows that any value of type T’ 
must be tt’, so any time we need a value of type 1’, we can 


tell Agda to figure it out:We refer to T as the unit type. And, in- 
deed, type T has exactly one member, tt. For example, the fol- 
lowing function enumerates all possible arguments of type T:For 
numbers, one is the identity of multiplication. Correspondingly, 
unit is the identity of product up to isomorphism. For left identity, 
the to function takes ( tt , x )to x, and the from func- 
tion does the inverse. The evidence of left inverse requires 
matching against a suitable pattern to enable simplification: 
Right identity follows from commutativity of product and left 
identity: Given two propositions A and B, the disjunction A U 
B holds if either A holds or B holds. We formalise this idea by 
declaring a suitable inductive type: Given evidence that A > C 
and B - C both hold, then given evidence that A WU B holds 
we can conclude that c holds: Applying the destructor to each of 
the constructors is the identity:More generally, we can also 
throw in an arbitrary function from a disjunction: We set the 
precedence of disjunction so that it binds less tightly than any 
other declared operator: For example, the following function 
enumerates all possible arguments of type Bool W Tri: False 
never holds. We formalise this idea by declaring a suitable in- 
ductive type: Dual to T, for + there is no introduction rule but 
an elimination rule. Since false never holds, knowing that it 
holds tells us we are in a paradoxical situation. Given evidence 
that -L holds, we might conclude anything! This is a basic princi- 
ple of logic, known in medieval times by the Latin phrase ex 
falso, and known to children through phrases such as “if pigs had 
wings, then I’d be the Queen of Sheba”. We formalise it as fol- 
lows: The nullary case of uniq-W is uniq-1, which asserts 
that lL-—elim is equal to any arbitrary function from -L: We re- 
fer to -L as the empty type. And, indeed, type 1 has no mem- 
bers. For example, the following function enumerates all possible 
arguments of type .: Put another way, if we know that A > B 
and A both hold, then we may conclude that B holds: Elimina- 
tion followed by introduction is the identity: For example, the 
following function enumerates all possible arguments of the type 
Bool + Tri: Both types can be viewed as functions that given 
evidence that A holds and evidence that B holds can return evi- 
dence that c holds. This isomorphism sometimes goes by the 
name currying. The proof of the right inverse requires extension- 
ality: That is, the assertion that if either A holds or B holds then 


C holds is the same as the assertion that if A holds then c holds 
and if B holds then c holds. The proof of the left inverse re- 
quires extensionality: That is, the assertion that if A holds then 
B holds and c holds is the same as the assertion that if A holds 
then B holds and if A holds then c holds. The proof of left in- 
verse requires both extensionality and the rule n-~ for products: 
Products distribute over sum, up to isomorphism. The code to 
validate this fact is similar in structure to our previous re- 
sults:sums do not distribute over products up to isomorphism, 
but it is an embedding: Show that the following property holds: 
Show that a disjunct of conjuncts implies a conjunct of disjuncts: 
Definitions similar to those in this chapter can be found in the 
standard library: 


Connectives: Conjunction, disjunction, 
and implication 


module plfa.partl.Connectives where 


This chapter introduces the basic logical connectives, by observ- 
ing a correspondence between connectives of logic and data 
types, a principle known as Propositions as Types: 


* conjunction is product, 

* disjunction is sum, 

* true is unit type, 

* false is empty type, 

* implication is function space. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 

open Eq using ( = ; refl) 

open Eq.=-Reasoning 

open import Data.Nat using (N) 

open import Function using ( ° ) 

open import plfa.partl.Isomorphism using ( = ; s ; extensionality; 
open plfa.part1.Isomorphism.=-Reasoning 


Conjunction is product 


data x (AB: Set) : Set where 


Evidence that A x B holds is of the form ( M , N ), where M 
provides evidence that A holds and N provides evidence that B 
holds. 


proji1 : V {AB : Set} 
~AxB 


projz : V {AB : Set} 
~ AxB 


If L provides evidence that A x B holds, then proj L pro- 
vides evidence that A holds, and pro jz L provides evidence 
that B holds. 


When (_,_) appears in a term on the right-hand side of an 
equation we refer to it as a constructor, and when it appears in a 
pattern on the left-hand side of an equation we refer to it as a de- 
structor. We may also refer to proji and pro7jz as destructors, 
since they play a similar role. 


Other terminology refers to (_,_) as introducing a conjunction, 
and to proji and pro/}2 as eliminating a conjunction; indeed, 
the former is sometimes given the name x-—I and the latter two 
the names x-E; and x-Ep2. As we read the rules from top to bot- 
tom, introduction and elimination do what they say on the tin: 
the first introduces a formula for the connective, which appears in 


the conclusion but not in the hypotheses; the second eliminates a 
formula for the connective, which appears in a hypothesis but 
not in the conclusion. An introduction rule describes under what 
conditions we say the connective holds—how to define the con- 
nective. An elimination rule describes what we may conclude 
when the connective holds—how to use the connective. ! 


n-x : V {AB : Set} (w: Ax B) = ( proji w, proj2 w) =w 
n-x (x,y) =refl 


The pattern matching on the left-hand side is essential, since re- 
placing w by ¢ x , y ) allows both sides of the propositional 
equality to simplify to the same term. 

infixr 2%. 


Thus, m < n x n < pparsesas (m < n) x (n < p). 


record x’ (AB: Set) : Set where 
constructor (_, )’ 


field 
proji’ : A 
proj2’ : B 
open x’_ 
The record construction record { proji’ = Mj; proje2’ = 


N } corresponds to the term ( M , N ) where M isa term of 
type A and N is a term of type B. The constructor declaration 
allows us to write ( M , N )’ in place of the record construc- 
tion. 


: V {A B : Set} (w: A x’ B) = ( proji’ w, proj2’ w )’ 
w = refl 


It can be very convenient to have n-equality definitionally, and so 
the standard library defines _x_ as a record type. We use the 
definition from the standard library in later chapters. 


data Bool : Set where 
true : Bool 


false : Bool 


data Tri : Set where 


aa: Tri 
bb! TFL 
ces, Tri 


Then the type Bool x Tri has six members: 


{ true , aa) { true , bb ) ( true , cc) 
( false , aa ) ( false , bb ) ( false , cc ) 


x-count : Bool x Tri -N 


x-count ( true , aa) = 1 
x-count ( true , bb) = 2 
x-count ( true , cc) = 3 
x-count ( false , aa) = 4 
x-count ( false , bb ) = 5 
x-count ( false , cc ) = 6 


Product on types also shares a property with product on numbers 
in that there is a sense in which it is commutative and associa- 
tive. In particular, product is commutative and associative up to 
isomorphism. 


x-comm : V {AB : Set} -AxB=BxrxA 


x-comm = 
record 
{ to = Mt Xe V¥ Poh ye we) F 
; from = M(y,x)7(x,y)} 
; fromoto = A{ (x,y) -7refl } 
; tocfrom = A{ (y,x)-refl } 
} 


Being commutative is different from being commutative up to iso- 
morphism. Compare the two statements: 


m*nz=n* m 
A xB BxxaA 


R 


In the first case, we might have that mis 2 and n is 3, and 
both m * nand n * mare equal to 6. In the second case, we 
might have that Ais Bool and Bis Tri, and Bool x Tri is 


not the same as Tri x Bool. But there is an isomorphism be- 
tween the two types. For instance, ( true , aa ), whichis a 
member of the former, corresponds to ( aa , true ), which is 
a member of the latter. 


x-assoc : V {ABC : Set} - (A x B) x C=A x (B x C) 
x-aSSOC = 


record 
{ to =A{((x,y),2)27¢(x,(y,2z)) } 
; from =M(x,(y,2z2))7¢¢(x,y),2) 4} 
; fromoto = A{ ( (x,y), 2z)-7 refl } 
; tocfrom =A{ (x, (y,2Z))- refl } 
} 


Being associative is not the same as being associative up to isomor- 
phism. Compare the two statements: 


For example, the type (N x Bool) x Tri is not the same as 
N x (Bool x Tri). But there is an isomorphism between the 
two types. For instance ( ( 1 , true ) , aa ), whichisa 
member of the former, corresponds to ( 1 , ( true , aa ) 
), which is a member of the latter. 


Exercise ©@=x (recommended) 


Show that A © B as defined earlier is isomorphic to (A > B) 
x (B > A). 


-- Your code goes here 


Truth is unit 


data T : Set where 


LE F 


Tt 


Evidence that T holds is of the form tt. 


There is an introduction rule, but no elimination rule. Given evi- 
dence that T holds, there is nothing more of interest we can 
conclude. Since truth always holds, knowing that it holds tells us 
nothing new. 


n-T : V (w: T) = tt Sw 
n-T tt = refl 


The pattern matching on the left-hand side is essential. Replacing 
w by tt allows both sides of the propositional equality to sim- 
plify to the same term. 


record T’ : Set where 
constructor tt’ 


The record construction record {} corresponds to the term 
tt. The constructor declaration allows us to write tt’. 


n-T’ : V (w: T’) > tt’ Sw 
n-T we=refl 

truth” + 7° 

truth’ = 


T-count : ToN 
T-count tt = 1 


T-identity! : V {A : Set} > TxA=A 
T-identity! = 
record 

4: EO) =A{ (tt ,x)->x} 

; from =A{x->(tt,x) } 

; fromoto = A{ ( tt , x ) = refl } 

; tocfrom = A{ x = refl } 

t 


Having an identity is different from having an identity up to iso- 
morphism. Compare the two statements: 


In the first case, we might have that mis 2, and both 1 * m 
and mare equal to 2. In the second case, we might have that A 
is Bool, and T x Bool is not the same as Bool. But there is 
an isomorphism between the two types. For instance, ( tt , 
true ), which is a member of the former, corresponds to true, 
which is a member of the latter. 


T-identity" : V {A : Set} - (Ax T) =A 
T-identity" {A} = 
=-begin 
(A x T) 
=({ x-comm ) 
(T x A) 
=( T-identity! ) 


Here we have used a chain of isomorphisms, analogous to that 
used for equality. 


Disjunction is sum 


data _w (AB: Set) : Set where 


Evidence that A W B holds is either of the form inj; M, where 
M provides evidence that A holds, or inj2 N, where N provides 
evidence that B holds. 


case-U : V {ABC : Set} 


- (A= C) 

> (B = C) 

-AUWB 

2 C 
case-WU f g (inji x) = f 
case-W f g (injz y) =g 


Pattern matching against inji and inj2 is typical of how we 
exploit evidence that a disjunction holds. 


When inji and inj2 appear on the right-hand side of an equa- 
tion we refer to them as constructors, and when they appear on 
the left-hand side we refer to them as destructors. We also refer to 
case-W as a destructor, since it plays a similar role. Other termi- 
nology refers to inj1 and in/42 as introducing a disjunction, and 
to case-W as eliminating a disjunction; indeed the former are 
sometimes given the names W-I, and W-TI2 and the latter the 
name W-E. 


n-y : V {A B: Set} (w: Aw B) > case-U inji injz w=w 

n-W (inji x) = refl 

n-W (injz y) = refl 

unig-¥ : V {ABC : Set} (h: AY BC) (w: AWB) = 
case-WU (h o inji) (he injz) w= hw 

uniq-W h (inji x) = refl 

uniq-W h (inj2 y) = refl 


The pattern matching on the left-hand side is essential. Replacing 
w by inj1 x allows both sides of the propositional equality to 
simplify to the same term, and similarly for inj y. 


infixr 1 uU_ 


Thus, A x C U B x Cparsesas (A x C) WU (B x C). 


Given two types A and B, we refer to A WU Bas the sumof A 
and B. In set theory, it is also sometimes called the disjoint union, 
and in computing it corresponds to a variant record type. Among 
other reasons for calling it the sum, note that if type A has m 


distinct members, and type B has n distinct members, then the 
type A WU Bhas m + n distinct members. For instance, consider 
a type Bool with two members, and a type Tri with three 
members, as defined earlier. Then the type Bool WU Tri has 
five members: 


inji true inj2 aa 
inji false inj2 bb 
inj2 cc 


W-count : Bool ¥ Tri +N 
W-count (inji true) = 
W-count (inji false) 
W-count (injz2 aa) 
( 
( 


W-count (injz2 bb) 
W-count (injz2 cc) 


OBBWNF 


Sum on types also shares a property with sum on numbers in that 
it is commutative and associative up to isomorphism. 


Exercise W—comm (recommended) 
Show sum is commutative up to isomorphism. 


-- Your code goes here 

Exercise W-assoc (practice) 

Show sum is associative up to isomorphism. 
-- Your code goes here 

False is empty 


data 1 : Set where 
-- no clauses! 


There is no possible evidence that holds. 


l-elim : V {A : Set} 
> 1 


~A 
l-elim () 


This is our first use of the absurd pattern (). Here since 1 isa 


type with no members, we indicate that it is never possible to 
match against a value of this type by using the pattern (). 


The nullary case of case-U is L-elim. By analogy, we might 
have called it case-L, but chose to stick with the name in the 
standard library. 


unig-L : V {C : Set} (h : L>C) (w: L) > L-elimw=hw 
uniq-L h () 


Using the absurd pattern asserts there are no possible values for 
w, so the equation holds trivially. 


i-count : LoN 
i-count () 


Here again the absurd pattern () indicates that no value can 
match type L. 


For numbers, zero is the identity of addition. Correspondingly, 
empty is the identity of sums up to isomorphism. 


Exercise l-identity! (recommended) 
Show empty is the left identity of sums up to isomorphism. 


-- Your code goes here 


Exercise _-identity' (practice) 
Show empty is the right identity of sums up to isomorphism. 


-- Your code goes here 


Implication is function 


Given two propositions A and B, the implication A > B holds if 
whenever A holds then B must also hold. We formalise implica- 
tion using the function type, which has appeared throughout this 
book. 


Evidence that A > B holds is of the form 
A (x : A) oN 


where N is a term of type B containing as a free variable x of 
type A. Given a term L providing evidence that A > B holds, 
and a term M providing evidence that A holds, the term L M 
provides evidence that B holds. In other words, evidence that A 
+ B holds is a function that converts evidence that A holds into 
evidence that B holds. 


~-elim : V {AB : Set} 
> (A > B) 


-B 
~-elim LM=LM 


In medieval times, this rule was known by the name modus po- 
nens. It corresponds to function application. 


Defining a function, with a named definition or a lambda ab- 
straction, is referred to as introducing a function, while applying a 
function is referred to as eliminating the function. 


n-> : V {AB : Set} (f : A> B) = (A (x: A) > f x) = Ff 
n-> f = refl 


Implication binds less tightly than any other operator. Thus, A 
WU B-+ BU Aparsesas (A U B) > (BU A). 


Given two types A and B, we refer to A — B as the function 
space from A to B. It is also sometimes called the exponential, 
with B raised to the A power. Among other reasons for calling it 


the exponential, note that if type A has m distinct members, and 
type B has n distinct members, then the type A > B has n™ 
distinct members. For instance, consider a type Bool with two 
members and a type Tri with three members, as defined earlier. 
Then the type Bool - Tri has nine (that is, three squared) 
members: 


A{true - aa; false - aa} A{true - aa; false - 
bb} A{true > aa; false - cc} 
A{true > bb; false - aa} A{true - bb; false - 
bb} A{true > bb; false - cc} 
A{true > cc; false - aa} A{true > cc; false - 
bb} A{true > cc; false - cc} 


~-count : (Bool - Tri) -N 


--count f with f true | f false 
| aa | aa = 1 
| aa | bb = 2 
| aa | ‘ce = 3 
| bb | aa = 4 
| bb | bb = 5 
| bb | ce = 6 
| :6¢ | aa = 7 
| “Ge | bb = 8 
| (ee | ce = 9 


Exponential on types also share a property with exponential on 
numbers in that many of the standard identities for numbers 
carry over to the types. 


Corresponding to the law 


(p A n) A m = Pp A (n * m) 
we have the isomorphism 
A- (B= C) = (A x B) +C 


currying : V {ABC : Set} - (A+B-(C) = (A xB =-(C) 


currying = 
record 
{ to = Mfr-M{(x,y)-Ff xy f} 
; from = AL gr A{ x>AL yrgt( x,y) FF 


: frometo 
: toofrom 
} 


A{ f > refl } 
A{ g - extensionality A{ ( x , y ) > refl }} 


Currying tells us that instead of a function that takes a pair of ar- 
guments, we can have a function that takes the first argument 
and returns a function that expects the second argument. Thus, 
for instance, our way of writing addition 

+ :N-+sNG-N 


is isomorphic to a function that accepts a pair of arguments: 


_t'_: (N x N) +N 


Agda is optimised for currying, so 2 + 3 abbreviates _+ 2 3. 


In a language optimised for pairing, we would instead take 2 + 
’ 3 asan abbreviation for _+’_ ( 2 , 3 ). 

Corresponding to the law 

pep * (n +m) = (p * n) * (p * m) 
we have the isomorphism: 


(AWB) +C = (A -+C) x (B= C) 


~-distrib-u : V {ABC : Set} - (AUB-=C) = ((A-C) x (B= C)) 
>-distrib-u = 


record 
{ to =A{ f > ( f © inji , f © injz ) } 
; from = =A{(g,h) > Af (inj: x) +g x ; (injez y) >hy } 
; frometo = A{ f > extensionality A{ (inji x) > refl ; (inj y) 
; tocfrom = A{ (9g, h) 7 refl } 
} 


Corresponding to the law 


“a 


(p * n) m= (p 
we have the isomorphism: 


A>Bx CC = (A > B) x (A = C) 


~-distrib-x : 
~-distrib-x = 
record 
{ to 
: from 
; fromceto 
; tocfrom 


} 


Distribution 


x-distrib-u : 
x-distrib-u = 
record 
{ to 


: from 


; fromceto 


: tocofrom 


U-distrib-x : 
U-distrib-x = 
record 
{ to 


: from 


: frometo 


Note that there 


VY {A BC: Set} - (A>Bx C) = (A->B) x (A= C) 


Vv 


AM 
AM 
Mt 
AM 


f = ( proji ° f , projz2 o f ) } 
(g,h)+s-Ax>(gx,hx ) } 

f > extensionality A{ x > n-x (f x) } } 
(g,h)- refl } 


BC: Set} = (AW B) x C = (A x C) UW (B x C) 
( Iije X>.Z2) 4 Ginje (x5 2) 

{ inje ¥ . 2) + (ange 4 -¥ 4-2) 

(inja (x, Z)) > ( inji x ,z) 

(ange VY 29) > ¢ inje y , 27 

( inji xX , z) 7 refl 

( injz y,z)-refl 

(inji (xX, 2Z)) > refl 

(inj2 (y,2Z)) > refl 

BC: Set} - (Ax B) UC s (AWC) x (Bu C) 
(injr (x,y )) > ( inji x , inji y ) 

(injz2 z) > ( injz z , inj2 z ) 


{ inja x , anjs y )-= Ginjz (x, y }) 
{ inji xX , injz z ) > (inj2 Zz) 
( injzz, _ ) > (inj2 z) 


(inji (xX ,y )) > refl 
(inj2 z) > refl 


is a choice in how we write the from function. 


As given, it takes ( inj2 z , inj2 z’ )to inj2 z, but it is 
easy to write a variant that instead returns inj2 z’. We have 
an embedding rather than an isomorphism because the from 
function must discard either z or z’ in this case. 


In the usual approach to logic, both of the distribution laws are 
given as equivalences, where each side implies the other: 


Ax (BWC) © (A x B) U (A x C) 

AW (Bx Cc) © (AWB) x (AUC) 

But when we consider the functions that provide evidence for 
these implications, then the first corresponds to an isomorphism 
while the second only corresponds to an embedding, revealing a 
sense in which one of these laws is “more true” than the other. 


Exercise W-weak-x (recommended) 


postulate 
W-weak-x : V {A BC: Set} - (AUB) x C3 AU (B x C) 


This is called a weak distributive law. Give the corresponding dis- 
tributive law, and explain how it relates to the weak version. 


-- Your code goes here 
Exercise Jx-implies-—xW (practice) 


postulate 
Wx-implies-x¥ : V {A BCD: Set} = (Ax B) uw (C x D) = (AWC) x 


Does the converse hold? If so, prove; if not, give a counterexam- 
ple. 


-- Your code goes here 
Standard library 


import Data.Product using (_ x ; proji; projz) renaming (_, to (_, } 


import Data.Unit using (T; tt) 

import Data.Sum using (WU; inji; injz) renaming ([_,_] to case-vW) 
import Data.Empty using (1; 1-elim) 

import Function.Equivalence using ( # ) 


The standard library constructs pairs with _,_ whereas we use 
{_,_). The former makes it convenient to build triples or larger 
tuples from pairs, permitting a , b , ctostandfor (a , (b 
, c)). But it conflicts with other useful notations, such as 
[_,_] to construct a list of two elements in Chapter Lists and T 
, A to extend environments in Chapter DeBruijn. The standard 
library _©_ is similar to ours, but the one in the standard li- 
brary is less convenient, since it is parameterised with respect to 
an arbitrary notion of equivalence. 


Unicode 


This chapter uses the following unicode: 


x U+00D7 MULTIPLICATION SIGN (\x) 

Wo U+228E MULTISET UNION (\u+) 

T U+22A4 DOWN TACK (\top) 

1 U+22A5 UP TACK (\bot) 

n U+03B7 GREEK SMALL LETTER ETA (\eta) 

1 U+2081 SUBSCRIPT ONE (\_1) 

2 U+2082 SUBSCRIPT TWO (\_2) 

© U+21D4 LEFT RIGHT DOUBLE ARROW (\<=>) 


1. This paragraph was adopted from “Propositions as Types”, 
Philip Wadler, Communications of the ACM, December 
2015.< 


Given a proposition A, the negation - A holds if A cannot 
hold. We formalise this idea by declaring negation to be the same 
as implication of false: Given evidence that both ~ A and A 
hold, we can conclude that holds. In other words, if both = A 
and A hold, then we have a contradiction: We set the precedence 
of negation so that it binds more tightly than disjunction and 
conjunction, but less tightly than anything else: In classical logic, 
we have that A is equivalent to - ~ A. As we discuss below, in 
Agda we use intuitionistic logic, where we have only half of this 
equivalence, namely that A implies - — A: An equivalent way 
to write the above is as follows: We cannot show that - ~ A im- 
plies A, but we can show that - -~ ~ Aimplies ~ A: Another 
law of logic is contraposition, stating that if A implies B, then 7— 
B implies — A: Using negation, it is straightforward to define in- 
equality:It is trivial to show distinct numbers are not equal:This 
is our first use of an absurd pattern in a lambda expression. The 
type M = N is occupied exactly when M and N simplify to iden- 
tical terms. Since 1 and 2 simplify to distinct normal forms, 
Agda determines that there is no possible evidence that 1 = 2. 
As a second example, it is also easy to validate Peano’s postulate 
that zero is not the successor of any number: Indeed, there is ex- 
actly one proof of L + tL. We can write this proof two different 
ways:But, using extensionality, we can prove these equal: Indeed, 
we can show any two proofs of a negation are equal: The law of 
the excluded middle can be formulated as follows:As we noted, 
the law of the excluded middle does not hold in intuitionistic 
logic. However, we can show that it is irrefutable, meaning that 
the negation of its negation is provable (and hence that its nega- 
tion is never provable): Say that a formula is stable if double 
negation elimination holds for it: Definitions similar to those in 
this chapter can be found in the standard library: 


Negation: Negation, with intuitionistic 
and classical logic 


module plfa.partl.Negation where 


This chapter introduces negation, and discusses intuitionistic and 
classical logic. 


Imports 


open import Relation.Binary.PropositionalEquality using ( = ; refl) 
open import Data.Nat using (N; zero; suc) 

open import Data.Empty using (1; L-elim) 

open import Data.Sum using ( WU ; inji; inj2) 


open import Data.Product using ( x ) 
open import plfa.partl.Isomorphism using ( = ; extensionality) 


Negation 


= : Set - Set 


“aA A=AL541 


This is a form of reductio ad absurdum: if assuming A leads to the 
conclusion (an absurdity), then we must have — A. 


Evidence that - A holds is of the form 
A{ x ~~ N } 


where N is a term of type t containing as a free variable x of 
type A. In other words, evidence that ~ A holds is a function 
that converts evidence that A holds into evidence that holds. 


a-elim : V {A : Set} 
~~ aAA 
7A 


o 1 
a-elim 7x X = 7X X 


Here we write ~x for evidence of ~ Aand x for evidence of A. 
This means that ~x must be a function of type A > 1, and 
hence the application -x x must be of type L. Note that this 
rule is just a special case of >-elim. 


infix 3 -_ 


Thus, > A x 7 Bparsesas (~ A) x (7 B) and ~ m = nas 
17 (m =n). 


—4-intro : V {A : Set} 
>A 


-A5A 


—4-intro x = A{-x > 7x x} 


Let x be evidence of A. We show that assuming ~ A leads toa 
contradiction, and hence = - A must hold. Let 7x be evidence 
of — A. Then from A and ~— A we have a contradiction, evi- 
denced by -x x. Hence, we have shown — 7 A. 


—4-intro’ : V {A :: Set} 
~A 


5. =< A 


Here we have simply converted the argument of the lambda term 
to an additional argument of the function. We will usually use 
this latter style, as it is more compact. 


——-elim : V {A : Set} 


4 aK 
aa5-eLlim --7X = A X ~ 7x (—~-intro x) 


Let 77>x be evidence of - = 7 A. We will show that assuming 
A leads to a contradiction, and hence - A must hold. Let x be 
evidence of A. Then by the previous result, we can conclude 7 
7 A, evidenced by -~-intro x. Then from 7 = 7 Aand 7 
— A we have a contradiction, evidenced by 7-77>x (77-intro 
x). Hence we have shown 7 A. 


contraposition : V {AB : Set} 
> (A > B) 
2 (7 B-- A) 

contraposition f 7y x = -y (f x) 


Let £ be evidence of A —~ Band let —-y be evidence of = B. We 
will show that assuming A leads to a contradiction, and hence ~ 
A must hold. Let x be evidence of A. Then from A > Band A 
we may conclude B, evidenced by f£ x, and from Band 7— B 
we may conclude 1, evidenced by ~y (f x). Hence, we have 
shown 7— A. 


# : V {A : Set} > A-A = Set 


x#y = 7 (x ey) 

—:122 

_=A() 

peano : V {m : N} > zero # suc m 
peano = A() 


The evidence is essentially the same, as the absurd pattern 
matches all possible evidence of type zero = suc m. 


Given the correspondence of implication to exponentiation and 
false to the type with no members, we can view negation as rais- 
ing to the zero power. This indeed corresponds to what we know 
for arithmetic, where 


sn = 1, At nn =-0 
= 0, if n #0 

id: Lol 

idx =x 

id’ : Lol 

id’ () 


id=id’ : id = id’ 
id=id’ = extensionality (A()) 


By extensionality, id = id’ holds if for every x in their do- 
main we have id x = id’ x. But there is no x in their do- 
main, so the equality holds trivially. 


assimilation : V {A : Set} (-x 7x’ : 7 A) = 7x = -x’ 
asSimilation 7x =x’ = extensionality (A x > L-elim (-x x)) 


Evidence for = A implies that any evidence of A immediately 
leads to a contradiction. But extensionality quantifies over all x 
such that A holds, hence any such x immediately leads to a con- 
tradiction, again causing the equality to hold trivially. 


Exercise <-irreflexive (recommended) 


Using negation, show that strict inequality is irreflexive, that is, 
n < nholds for no n. 


-- Your code goes here 


Exercise trichotomy (practice) 


Show that strict inequality satisfies trichotomy, that is, for any 
naturals mand n exactly one of the following holds: 


n 
n 
n 


3 
Veil A 


Here “exactly one” means that not only one of the three must 
hold, but that when one holds the negation of the other two must 
also hold. 


-- Your code goes here 


Exercise W—dual-x (recommended) 


Show that conjunction, disjunction, and negation are related by a 
version of De Morgan’s Law. 


7 (A UB) = (7 A) * (7 B) 


This result is an easy consequence of something we’ve proved 
previously. 


-- Your code goes here 


Do we also have the following? 
1 {Ax B) = (7 A) U (7 B) 


If so, prove; if not, can you give a relation weaker than isomor- 
phism that relates the two sides? 


Intuitive and Classical logic 


In Gilbert and Sullivan’s The Gondoliers, Casilda is told that as an 
infant she was married to the heir of the King of Batavia, but that 
due to a mix-up no one knows which of two individuals, Marco 
or Giuseppe, is the heir. Alarmed, she wails “Then do you mean 
to say that Iam married to one of two gondoliers, but it is impos- 
sible to say which?” To which the response is “Without any 
doubt of any kind whatever.” 


Logic comes in many varieties, and one distinction is between 
classical and intuitionistic. Intuitionists, concerned by assumptions 
made by some logicians about the nature of infinity, insist upon 
a constructionist notion of truth. In particular, they insist that a 
proof of A WU B must show which of A or B holds, and hence 
they would reject the claim that Casilda is married to Marco or 
Giuseppe until one of the two was identified as her husband. Per- 
haps Gilbert and Sullivan anticipated intuitionism, for their 
story’s outcome is that the heir turns out to be a third individual, 
Luiz, with whom Casilda is, conveniently, already in love. 


Intuitionists also reject the law of the excluded middle, which as- 
serts A WU -— A for every A, since the law gives no clue as to 
which of A or — A holds. Heyting formalised a variant of 
Hilbert’s classical logic that captures the intuitionistic notion of 
provability. In particular, the law of the excluded middle is prov- 
able in Hilbert’s logic, but not in Heyting’s. Further, if the law of 
the excluded middle is added as an axiom to Heyting’s logic, 
then it becomes equivalent to Hilbert’s. Kolmogorov showed the 
two logics were closely related: he gave a double-negation trans- 
lation, such that a formula is provable in classical logic if and 


only if its translation is provable in intuitionistic logic. 


Propositions as Types was first formulated for intuitionistic logic. 
It is a perfect fit, because in the intuitionist interpretation the 
formula A UW B is provable exactly when one exhibits either a 
proof of A ora proof of B, so the type corresponding to disjunc- 
tion is a disjoint sum. 


(Parts of the above are adopted from “Propositions as Types”, 
Philip Wadler, Communications of the ACM, December 2015.) 


Excluded middle is irrefutable 


postulate 
em: V {A : Set} -AUAA 


em-irrefutable : V {A : Set} +> 3-3 (A wu - A) 
em-irrefutable = A k +k (inj2 (A x >= k (inji x))) 


The best way to explain this code is to develop it interactively: 
em-irrefutable k = ? 


Given evidence k that = (A W — A), that is, a function that 
given a value of type A WU — A returns a value of the empty 
type, we must fill in ? with a term that returns a value of the 
empty type. The only way we can get a value of the empty type 
is by applying k itself, so let’s expand the hole accordingly: 


em-irrefutable k = k ? 


We need to fill the new hole with a value of type A U 7 A. We 
don’t have a value of type A to hand, so let’s pick the second dis- 
junct: 


em-irrefutable k = k (inj2 A{ x > ? }) 


The second disjunct accepts evidence of ~ A, that is, a function 
that given a value of type A returns a value of the empty type. 
We bind x to the value of type A, and now we need to fill in the 
hole with a value of the empty type. Once again, the only way 


we can get a value of the empty type is by applying k itself, so 
let’s expand the hole accordingly: 


em-irrefutable k = k (inj2 A{ x > k ? }) 


This time we do have a value of type A to hand, namely x, so 
we can pick the first disjunct: 


em-irrefutable k = k (inje2 A{ x > k (inji x) }) 
There are no holes left! This completes the proof. 


The following story illustrates the behaviour of the term we have 
created. (With apologies to Peter Selinger, who tells a similar 
story about a king, a wizard, and the Philosopher’s stone.) 


Once upon a time, the devil approached a man and made an of- 
fer: “Either (a) I will give you one billion dollars, or (b) I will 
grant you any wish if you pay me one billion dollars. Of course, I 
get to choose whether I offer (a) or (b).” 


The man was wary. Did he need to sign over his soul? No, said 
the devil, all the man need do is accept the offer. 


The man pondered. If he was offered (b) it was unlikely that he 
would ever be able to buy the wish, but what was the harm in 
having the opportunity available? 


“T accept,” said the man at last. “Do I get (a) or (b)?” 
The devil paused. “I choose (b).” 


The man was disappointed but not surprised. That was that, he 
thought. But the offer gnawed at him. Imagine what he could do 
with his wish! Many years passed, and the man began to accu- 
mulate money. To get the money he sometimes did bad things, 
and dimly he realised that this must be what the devil had in 
mind. Eventually he had his billion dollars, and the devil ap- 
peared again. 


“Here is a billion dollars,” said the man, handing over a valise 
containing the money. “Grant me my wish!” 


The devil took possession of the valise. Then he said, “Oh, did I 
say (b) before? I’m so sorry. I meant (a). It is my great pleasure 
to give you one billion dollars.” 


And the devil handed back to the man the same valise that the 
man had just handed to him. 


(Parts of the above are adopted from “Call-by-Value is Dual to 
Call-by-Name”, Philip Wadler, International Conference on Func- 
tional Programming, 2003.) 


Exercise Classical (stretch) 


Consider the following principles: 
* Excluded Middle: A WU — A, forall A 
* Double Negation Elimination: - = A - A, forall A 
¢ Peirce’s Law: ((A > B) > A) = A, forall Aand B. 
* Implication as disjunction: (A + B) > 7 A UW B, for all 
Aand B. 
* De Morgan: = (-~ A x 7 B) > A UV B, forall Aand B. 


Show that each of these implies all the others. 
-- Your code goes here 


Exercise Stable (stretch) 


Stable : Set > Set 
Stable A=--~A-A 


Show that any negated formula is stable, and that the conjunc- 
tion of two stable formulas is stable. 


-- Your code goes here 


Standard Prelude 


import Relation.Nullary using (-_) 


import Relation.Nullary.Negation using (contraposition) 


Unicode 


This chapter uses the following unicode: 


7 U+00AC NOT SIGN (\neg) 
# U+2262 NOT IDENTICAL TO (\==n) 


Put another way, if we know that V (x : A) -> B x holds 
and that Mis a term of type A then we may conclude that B M 
holds: Show that universals distribute over conjunction: Show 
that a disjunction of universals implies a universal of disjunc- 
tions: Consider the following type. We formalise existential quan- 
tification by declaring a suitable inductive type:We define a con- 
venient syntax for existentials as follows: Equivalently, we could 
also declare existentials as a record type: A common notation for 
existentials is 4 (analogous to v for universals). We follow the 
convention of the Agda standard library, and reserve this nota- 
tion for the case where the domain of the bound variable is left 
implicit: Given evidence that V x > B x = C holds, where c 
does not contain x as a free variable, and given evidence that 
3{ x ] B x holds, we may conclude that c holds: Indeed, the 
converse also holds, and the two together form an isomorphism: 
Show that existentials distribute over disjunction: Show that an 
existential of conjunctions implies a conjunction of existentials: 
Recall the definitions of even and odd from Chapter Relations: 
Here is the proof in the forward direction: Here is the proof in 
the reverse direction: Negation of an existential is isomorphic to 
the universal of a negation. Considering that existentials are gen- 
eralised disjunction and universals are generalised conjunction, 
this result is analogous to the one which tells us that negation of 
a disjunction is isomorphic to a conjunction of negations: Show 
that existential of a negation implies negation of a universal: Def- 
initions similar to those in this chapter can be found in the stan- 
dard library: 


Quantifiers: Universals and existentials 
module plfa.partl.Quantifiers where 


This chapter introduces universal and existential quantification. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 


open Eq using ( = ; refl) 
open import Data.Nat using (N; zero; suc; +; * ) 
open import Relation.Nullary using (-_) 


open import Data.Product using (_x ; proji; projz) renaming (_,_ 


open import Data.Sum using ( WU ; inji; injz) 


open import plfa.partl.Isomorphism using ( = ; extensionality) 


open import Function using (_°_) 


Universals 


We formalise universal quantification using the dependent func- 
tion type, which has appeared throughout this book. For in- 
stance, in Chapter Induction we showed addition is associative: 


t+-assoc : V (mn p: N) - (m+n) + p=m+4 (n + 
P) 


which asserts for all natural numbers m, n, and p that (m + 
n) + p =m + (n + p) holds. It is a dependent function, 
which given values for m, n, and p returns evidence for the cor- 
responding equation. 


In general, given a variable x of type A anda proposition B x 
which contains x as a free variable, the universally quantified 
proposition V (x : A) > B x holds if for every term M of 
type A the proposition B M holds. Here B M stands for the 
proposition B x with each free occurrence of x replaced by ™M. 
Variable x appears free in B x but boundin V (x : A) +B 
xX. 


Evidence that V (x : A) > B x holds is of the form 
A (x : A) ~N x 


where N x is aterm of type B x, and N xand B x both con- 
tain a free variable x of type A. Given a term L providing evi- 
dence that V (x : A) > B xholds, andaterm M of type A, 
the term L M provides evidence that B ™ holds. In other words, 
evidence that V (x : A) > B x holds is a function that con- 
verts aterm Mof type A into evidence that B ™ holds. 


to 


Y-elim : V {A : Set} {B : A > Set} 
> (L:V (x: A) 3B x) 

> (M: A) 

~BM 


Y-elim LM=LM 


As with +-elin, the rule corresponds to function application. 


Functions arise as a special case of dependent functions, where 
the range does not depend on a variable drawn from the domain. 
When a function is viewed as evidence of implication, both its ar- 
gument and result are viewed as evidence, whereas when a de- 
pendent function is viewed as evidence of a universal, its argu- 
ment is viewed as an element of a data type and its result is 
viewed as evidence of a proposition that depends on the argu- 
ment. This difference is largely a matter of interpretation, since 
in Agda a value of a type and evidence of a proposition are indis- 
tinguishable. 


Dependent function types are sometimes referred to as dependent 


products, because if A is a finite type with values x1 , - , 
Xn, and if each of the types B x1 , -* , B xnhasm =," , 
mn distinct members, then V (x : A) > B xhas m * - * 


mn Members. Indeed, sometimes the notation VY (x : A) > B 
x is replaced by a notation such as II[ x © A ] (B x), where 
Tl stands for product. However, we will stick with the name de- 
pendent function, because (as we will see) dependent product is 
ambiguous. 


Exercise V-distrib-—x (recommended) 


postulate 
V-distrib-x : V {A : Set} {B C : A > Set} - 
(V (x : A) > Bx x Cx) = (VW (x: A) ~ Bx) x (V (x: A) 


Compare this with the result (+>—-distrib-—~x) in Chapter Connec- 
tives. 


Exercise WV-implies-VW (practice) 


> C x) 


postulate 
WV-implies-Vu : V {A : Set} {B C : A = Set} = 
(V (x : A) > Bx) U (V (x : A) > C x) eV (x: A) Oe BxuCcx 


Does the converse hold? If so, prove; if not, explain why. 


Exercise V—~x (practice) 


data Tri : Set where 


aa: Tri 
bb : Tri 
ce ¢ Tri 


Let B be a type indexed by Tri, that is B : Tri > Set. 
Show that V (x : Tri) > B xis isomorphic to B aa x B 
bb x B cc. Hint: you will need to postulate a version of exten- 
sionality that works for dependent functions. 


Existentials 


Given a variable x of type A anda proposition B x which con- 
tains x as a free variable, the existentially quantified proposition 
={[ x € A ] B x holds if for some term M of type A the 
proposition B M holds. Here B M stands for the proposition B 
x With each free occurrence of x replaced by ™M. Variable x ap- 
pears freein B x but boundin ={[ x ©€ A] Bx. 


data (A: Set) (B : A > Set) : Set where 
(,): (x : A) 27Bx3>Z2AB 


X-syntax = x 
infix 2 X-syntax 
syntax X-syntax A (A x > Bx) = Xf x € A ] Bx 


This is our first use of a syntax declaration, which specifies that 
the term on the left may be written with the syntax on the right. 
The special syntax is available only when the identifier  - 
syntax is imported. 


Evidence that =[ x € A ] B xholdsisofthe form ( M, N 


) where ™ is a term of type A, and N is evidence that B M 
holds. 


record x’ (A: Set) (B : A = Set) : Set where 
field 
proji’ : A 
proj2’ : B proji’ 


Here record construction 


record 
{ proji’ =M 
; proj2’ =N 


} 
corresponds to the term 
(M,N) 
where Misa term of type Aand Nisa term of type B M. 


Products arise as a special case of existentials, where the second 
component does not depend on a variable drawn from the first 
component. When a product is viewed as evidence of a conjunc- 
tion, both of its components are viewed as evidence, whereas 
when it is viewed as evidence of an existential, the first compo- 
nent is viewed as an element of a datatype and the second com- 
ponent is viewed as evidence of a proposition that depends on 
the first component. This difference is largely a matter of inter- 
pretation, since in Agda a value of a type and evidence of a 
proposition are indistinguishable. 


Existentials are sometimes referred to as dependent sums, be- 


cause if Aisa finite type with values x1 , ** , Xn, andif each 
of the types B x1 , ** B xn has m , * , mn distinct mem- 
bers, then x=[ x € A ] B x has m + ° + mn members, 


which explains the choice of notation for existentials, since = 
stands for sum. 


Existentials are sometimes referred to as dependent products, 
since products arise as a special case. However, that choice of 


names is doubly confusing, since universals also have a claim to 
the name dependent product and since existentials also have a 
claim to the name dependent sum. 


43: V {A et} (B : A > Set) > Set 
4 {A} B = Ra B 


d-syntax = J 
syntax d-syntax (A x > B) = 4[ x ] B 


The special syntax is available only when the identifier 4- 
syntax is imported. We will tend to use this syntax, since it is 
shorter and more familiar. 


d-elim : V {A : Set} {B : A > Set} {C : Set} 
~ (Vx >-Bx-C) 


J-elimf (x,y)=fxy 


In other words, if we know for every x of type A that B x im- 
plies c, and we know for some x of type A that B x holds, 
then we may conclude that c holds. This is because we may in- 
stantiate that proof that Vv x > B x = C to any value x of 
type Aand any y of type B x, and exactly such values are pro- 
vided by the evidence for 3[ x ] B x. 


Vd-currying : V {A : Set} {B : A > Set} {C : Set} 
-~ (Vx +-Bx-C) = (AL x ] Bx = C) 
Va-currying = 


record 
{ to =Mf-M(x,y)-Ff xy f} 
; from = A{g7A{x-AL{y7qg(x,y) }}} 
: fromcto = A{ f = refl } 
; tocfrom = A{ g > extensionality A{ ( x , y ) > refl }} 
} 


The result can be viewed as a generalisation of currying. Indeed, 
the code to establish the isomorphism is identical to what we 
wrote when discussing implication. 


Exercise i-distrib-W (recommended) 


postulate 
d-distrib-u : V {A : Set} {B C : A > Set} - 
4. x ] (Bx uw C x) = (AL x ] B x) Uw (AT x ] C x) 


Exercise 4ix-implies—x3 (practice) 


postulate 
dx-implies-xd : V {A : Set} {B C : A > Set} - 
a. x ] (Bx x C x) = (AL x ] B x) x (AT x ] C x) 


Does the converse hold? If so, prove; if not, explain why. 
Exercise i-W (practice) 


Let Tri and B beas in Exercise V—x. Show that 3[ x ] B x 
is isomorphic to B aa WU B bb UW B cc. 


An existential example 


data even : N = Set 
data odd_ : N > Set 


data even where 
even-zero : even zero 


even-suc : V {n : N} 
~ odd n 


> even (suc n) 


data odd where 
odd-suc : V {n : N} 
> even n 


~ odd (suc n) 


A number is even if it is zero or the successor of an odd number, 
and odd if it is the successor of an even number. 


We will show that a number is even if and only if it is twice some 
other number, and odd if and only if it is one more than twice 
some other number. In other words, we will show: 


even niff 3[ m] ( m * 2 = n) 


odd 


niff 3[ m] (1 +m * 2 =n) 


By convention, one tends to write constant factors first and to 
put the constant term in a sum last. Here we’ve reversed each of 
those conventions, because doing so eases the proof. 


even-d : V {n : N} - evenn - J[ m ] ( m* 2 =n) 
odd-3 : V {n : N} > oddn-di[m] (1 +m * 2 =n) 
even-4d even-zero = ( zero , refl ) 
even-4 (even-suc 0) with odd-4 o 

| (m, refl ) = ( sucm, refl ) 
odd-4 (odd-suc e) with even-de 

| (m, refl) = (m, refl ) 


We define two mutually recursive functions. Given evidence that 
n is even or odd, we return a number m and evidence that m * 


2 = 


nor 1 +m * 2 = n. We induct over the evidence that n 


is even or odd: 


If the number is even because it is zero, then we return a 
pair consisting of zero and the evidence that twice zero is 
zero. 


If the number is even because it is one more than an odd 
number, then we apply the induction hypothesis to give a 
number mand evidence that 1 + m * 2 = n. Wereturn 
a pair consisting of suc mand evidence that suc m * 2 
= suc _n, which is immediate after substituting for n. 


If the number is odd because it is the successor of an even 
number, then we apply the induction hypothesis to give a 
number m and evidence that m * 2 = n. We returna 
pair consisting of m and evidence that 1 + m * 2 = 
suc _n, which is immediate after substituting for n. 


This completes the proof in the forward direction. 


d-even: V {n : N} > AL m ] ( m* 2£n) > evenn 
d-odd :V{n:N}>-3Lm] (1 +m* 2=n) - oddn 
d-even ( zero , refl ) even-zero 


d-even ( sucm, refl ) even-suc (d-odd (m, refl )) 


J-odd ( m, refl ) 


odd-suc (d-even (m, refl )) 


Given a number that is twice some other number we must show 
it is even, and a number that is one more than twice some other 
number we must show it is odd. We induct over the evidence of 
the existential, and in the even case consider the two possibilities 
for the number that is doubled: 


* In the even case for zero, we must show zero * 2 is 
even, which follows by even-zero. 


* In the even case for suc n, we must show suc m * 2 is 
even. The inductive hypothesis tells us that 1 + m * 2 is 
odd, from which the desired result follows by even-suc. 


¢ In the odd case, we must show 1 + m * 2 is odd. The in- 
ductive hypothesis tell us that m * 2 is even, from which 
the desired result follows by odd-suc. 


This completes the proof in the backward direction. 

Exercise j-even-odd (practice) 

How do the proofs become more difficult if we replace m * 2 
and 1 + m * 2 by 2 * mand 2 * m + 1? Rewrite the 


proofs of 3-even and j-odd when restated in this way. 


-- Your code goes here 


Exercise i-+-< (practice) 


Show that y < z holds if and only if there exists a x such that 
xX + YyY = Z, 


-- Your code goes here 


Existentials, Universals, and Negation 


-=J=V- : V {A : Set} {B : A > Set} 
~(- 3, x ]Bx)=Vx--Bx 


record 
{ to = A{ ~dxy x y > ~dxy (x, y ) } 
; from = A{ Waxy (x, y ) = Woxy x y } 
; fromcto = A{ 7dxy - extensionality A{ (x , y ) > refl } } 
; tocfrom = A{ VWrxy - refl } 
t 


In the to direction, we are given a value ~4xy of type ~ 3[ x 
] B x, and need to show that given a value x that - B x fol- 
lows, in other words, from a value y of type B x we can derive 
false. Combining x and y gives usa value ( x , y ) of type 
3[ x ] B x, and applying —4xy to that yields a contradiction. 


In the from direction, we are given a value V~>xy of type V x 
+ 71 B x, and need to show that from a value ( x , y ) of 
type 3[ x ] B x we can derive false. Applying v-xy to x 
gives a value of type - B x, and applying that to y yields a 
contradiction. 


The two inverse proofs are straightforward, where one direction 
requires extensionality. 


Exercise j7--implies-—~V (recommended) 


postulate 
dn-implies--V : V {A : Set} {B : A > Set} 
~ 4J[ x ] (7B x) 


Does the converse hold? If so, prove; if not, explain why. 


Exercise Bin-isomorphisnm (stretch) 


Recall that Exercises Bin, Bin-laws, and Bin-predicates define a 
datatype Bin of bitstrings representing natural numbers, and 
asks you to define the following functions and predicates: 


£0 : N + Bin 
from : Bin > N 
Can : Bin > Set 


And to establish the following properties: 


from (to n) =n 
Can (to n) 

Can b 

to (from b) =b 


Using the above, establish that there is an isomorphism between 
Nand 4[ b ] Can b. 


We recommend proving the following lemmas which show that, 
for a given binary number b, there is only one proof of One b 
and similarly for Can b. 

=One : V {b : Bin} (0 o’ : One b) > 0 = 0’ 


=Can : V {b : Bin} (cb cb’ : Can b) > ch = ch’ 


Many of the alternatives for proving toefrom turn out to be 
tricky. However, the proof can be straightforward if you use the 
following lemma, which is a corollary of =Can. 


projyia=-Can= : {cb cb’ : 4[ b ] Can b} - proji cb 
= proji cb’ > cb = cb’ 


-- Your code goes here 


Standard library 


import Data.Product using (2; _, ; 4; Z-syntax; d-syntax) 


Unicode 


This chapter uses the following unicode: 


MN U+03A0 GREEK CAPITAL LETTER PI (\Pi) 
x= U+03A3 GREEK CAPITAL LETTER SIGMA (\Sigma) 
4a U+2203 THERE EXISTS (\ex, \exists) 


Recall that Chapter Relations defined comparison as an induc- 
tive datatype, which provides evidence that one number is less 
than or equal to another:For example, we can provide evidence 
that 2 < 4, and show there is no possible evidence that 4 < 2: 
An alternative, which may seem more familiar, is to define a type 
of booleans:Given booleans, we can define a function of two 
numbers that computes to true if the comparison holds and to 
false otherwise:The first and last clauses of this definition re- 
semble the two constructors of the corresponding inductive 
datatype, while the middle clause arises because there is no pos- 
sible evidence that suc m < zero for any m. For example, we 
can compute that 2 <> 4 holds, and we can compute that 4 <> 
2 does not hold: We would hope to be able to show these two ap- 
proaches are related, and indeed we can. First, we define a func- 
tion that lets us map from the computation world to the evidence 
world: Another way to put this is that T b is inhabited exactly 
when b = true is inhabited. In the forward direction, we need 
to do a case analysis on the boolean b: In the reverse direction, 
there is no need for a case analysis on the boolean b: In the for- 
ward direction, we consider the three clauses in the definition of 
_<>_: In the reverse direction, we consider the possible forms of 
evidence that m < n: A function that returns a boolean returns 
exactly a single bit of information: does the relation hold or does 
it not? Conversely, the evidence approach tells us exactly why 
the relation holds, but we are responsible for generating the evi- 
dence. But it is easy to define a type that combines the benefits 
of both approaches. It is called Dec A, where Dec is short for 
decidable: First, we introduce two functions useful for construct- 
ing evidence that an inequality does not hold: Using these, it is 
straightforward to decide an inequality: We can use our new 
function to compute the evidence that earlier we had to think up 
on our own: Analogous to the function above, define a function 
to decide strict inequality: Define a function to decide whether 
two naturals are equal: Curious readers might wonder if we 
could reuse the definition of m <> n, together with the proofs 
that it is equivalent to m < n, to show decidability. Indeed, we 
can do so as follows: Erasure takes a decidable value to a bool- 
ean:Using erasure, we can easily derive _<>_ from _<?_:Fur- 
ther, if D is a value of type Dec A, then T | D |] is inhabited 


exactly when A is inhabited:Using these, we can easily derive 
that T (m <’ n) is inhabited exactly when m < n is inhab- 
ited: The conjunction of two booleans is true if both are true, and 
false if either is false: Correspondingly, given two decidable 
propositions, we can decide their conjunction: The disjunction of 
two booleans is true if either is true, and false if both are false: 
Correspondingly, given two decidable propositions, we can de- 
cide their disjunction: The negation of a boolean is false if its ar- 
gument is true, and vice versa:Correspondingly, given a decid- 
able proposition, we can decide its negation: There is also a 
slightly less familiar connective, corresponding to implication: 
Correspondingly, given two decidable propositions, we can de- 
cide if the first implies the second: Show that erasure relates cor- 
responding boolean and decidable operations: Give analogues of 
the _©_ operation from Chapter Isomorphism, operation on 
booleans and decidables, and also show the corresponding era- 
sure: 


Decidable: Booleans and decision proce- 
dures 


module plfa.partl.Decidable where 


We have a choice as to how to represent relations: as an induc- 
tive data type of evidence that the relation holds, or as a function 
that computes whether the relation holds. Here we explore the re- 
lation between these choices. We first explore the familiar notion 
of booleans, but later discover that these are best avoided in 
favour of a new notion of decidable. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 

open Eq using ( = ; refl) 

open Eq.=-Reasoning 

open import Data.Nat using (N; zero; suc) 

open import Data.Product using (_x_) renaming (_, to (_, )) 
open import Data.Sum using ( WU ; inji; inj2) 


open import Relation.Nullary using (-—_) 


open import Relation.Nullary.Negation using () 
renaming (contradiction to ---intro) 

open import Data.Unit using (T; tt) 

open import Data.Empty using (1; L-elim) 

open import plfa.partl.Relations using (_ < ; z<s; s<s) 

open import plfa.partl.Isomorphism using ( # ) 


Evidence vs Computation 


infix 4 s 


data _ <= : N-N -> Set where 


zsn : V {n : N} 


7"4s2 : 7 (4 
74<2 (sss ( 


The occurrence of () attests to the fact that there is no possible 
evidence for 2 < 0, which z<n cannot match (because 2 is 
not zero) and s<s cannot match (because 0 cannot match 
suc n). 


data Bool : Set where 
true : Bool 
false : Bool 


infix 4 <> 


<5 : N-=N-=- Bool 


zero <° n = true 
suc m s® zero = false 
suc m s® suc n = ms? n 


In the first case, it takes two steps to reduce the first argument to 
zero, and one more step to compute true, corresponding to the 
two uses of s<s and the one use of z<n when providing evi- 
dence that 2 < 4. In the second case, it takes two steps to re- 
duce the second argument to zero, and one more step to compute 
false, corresponding to the two uses of s<s and the one use of 
() when showing there can be no evidence that 4 < 2. 


Relating evidence and computation 


T : Bool > Set 
T true = T 
T false = L 


Recall that T is the unit type which contains the single element 
tt, and the 1 is the empty type which contains no values. (Also 
note that T is a capital letter t, and distinct from T.) If b is of 
type Bool, then tt provides evidence that T b holds if b is 
true, while there is no possible evidence that T b holds if b is 


false. 


T-= : V (b : Bool) > T b = b = true 
T-= true tt = refl 
T-= false () 


If b is true then T b is inhabited by tt and b = true is in- 
habited by ref1, while if b is false then T b in uninhabited. 


=T : V {b : Bool} ~- b = true - Tb 
=T refl = tt 


If b = true is inhabited by refl we know that b is true 
and hence T b is inhabited by tt. 


Now we can show that T (m <? n) is inhabited exactly when 
m < nis inhabited. 


s$os : V (mn: N) > T (ms° n) omen 
<>< zero n tt = zsn 

<>< (suc m) zero () 

s'o=s (suc m) (suc n) t = Sss (soos mn t) 


In the first clause, we immediately have that zero <? n is true, 
so T (m <? n) is evidenced by tt, and correspondingly m < 
n is evidenced by z<n. In the middle clause, we immediately 
have that suc m < zero is false, and hence T (m <? n) is 
empty, so we need not provide evidence that m < n, which is 
just as well since there is no such evidence. In the last clause, we 
have that suc m <> suc nrecurses to m <> n. We let t be 
the evidence of T (suc m < suc n) if it exists, which, by 
definition of _<"_, will also be evidence of T (m <? n). We 
recursively invoke the function to get evidence that m < n, 
which s<s converts to evidence that suc m < suc n. 


<<) : Vimn:N} >mesn-T (ms? n) 
<-s> z<n = tt 
<-s> (sss msn) = ss? msn 


If the evidence is z<n then we immediately have that zero <> 


n is true,so T (m <? n) is evidenced by tt. If the evidence is 
s<s applied to m<n, then suc m <> suc n reduces to m <> 
n, and we may recursively invoke the function to produce evi- 
dence that T (m <? n). 


The forward proof has one more clause than the reverse proof, 
precisely because in the forward proof we need clauses corre- 
sponding to the comparison yielding both true and false, while in 
the reverse proof we only need clauses corresponding to the case 
where there is evidence that the comparison holds. This is ex- 
actly why we tend to prefer the evidence formulation to the com- 
putation formulation, because it allows us to do less work: we 
consider only cases where the relation holds, and can ignore 
those where it does not. 


On the other hand, sometimes the computation formulation may 
be just what we want. Given a non-obvious relation over large 
values, it might be handy to have the computer work out the an- 
swer for us. Fortunately, rather than choosing between evidence 
and computation, there is a way to get the benefits of both. 


The best of both worlds 


data Dec (A : Set) : Set where 
yes : A - Dec A 
no :-7A-DecA 


Like booleans, the type has two constructors. A value of type 
Dec A is either of the form yes x, where x provides evidence 
that A holds, or of the form no “x, where ~x provides evi- 
dence that A cannot hold (that is, -x is a function which given 
evidence of A yields a contradiction). 


For example, we define a function _<?_ which given two num- 
bers decides whether one is less than or equal to the other, and 
provides evidence to justify its conclusion. 


as<sz : V {m : N} > - (suc m gs zero) 


asss : V {mn : N} > 7 (msn) > - (Suc ms SuC n) 


as<s 7-msn (sss msn) = -msn msn 


The first of these asserts that > (suc m < zero), and follows 
by absurdity, since any evidence of inequality has the form 
zero < nor suc m < suc n, neither of which match suc m 
< zero. The second of these takes evidence -m<n of 7 (m < 
n) and returns a proof of = (suc m < suc n). Any evidence 
of suc m < suc n must have the form s<s m<n where m<n 
is evidence that m < n. Hence, we have a contradiction, evi- 
denced by -m<n m<n. 


_s?_ : V (mn: N) - Dec (msn) 

zero s? n = yes zsn 

suc m <? zero = no 7S<z 

suc m s? suc n with m <? n 
| yes msn = yes (SssS msn) 
| no -msn = no (=Sss =msn) 


As with _<»_, the definition has three clauses. In the first clause, 
it is immediate that zero < n holds, and it is evidenced by 
z<n. In the second clause, it is immediate that suc m < zero 
does not hold, and it is evidenced by ~s<z. In the third clause, 
to decide whether suc m < suc _n holds we recursively invoke 
m <? n. There are two possibilities. In the yes case it returns 
evidence m<n that m < n, and s<s m<n provides evidence 
that suc m < suc n.Inthe no case it returns evidence -m<n 
that - (m < n), and ~s<s -m<n provides evidence that 7 
(suc m < suc n). 


When we wrote _<»_, we had to write two other functions, 
<>< and <-<»®, in order to show that it was correct. In contrast, 
the definition of _<?_ proves itself correct, as attested to by its 
type. The code of _<?_ is far more compact than the combined 
code of _<>_, <><, and <-<>. As we will later show, if you re- 
ally want the latter three, it is easy to derive them from _<?_. 


_: 2s? 4 = yes (sss (sss zsn)) 
= refl 


: 4s? 2 
= refl 


no (-sss (-sss 7Ssz) ) 


You can check that Agda will indeed compute these values. Typ- 
ing C-c cC-n and providing 2 <? 4 or 4 <? 2 as the re- 
quested expression causes Agda to print the values given above. 
(A subtlety: if we do not define -s<z and ~s<s as top-level 
functions, but instead use inline anonymous functions then Agda 
may have trouble normalising evidence of negation.) 


Exercise _<?_ (recommended) 


postulate 
_<?_: V (mn: N) > Dec (m < n) 


-- Your code goes here 
Exercise _=N?_ (practice) 


postulate 
_=N?_ : V (mn: N) = Dec (m= n) 


-- Your code goes here 


Decidables from booleans, and booleans from de- 
cidables 


_s?’  : V (mn: N) - Dec (m s n) 

ms?’ nwith ms° n | s’<s mn | ss? {m} {n} 
| true |p } = yes (p tt) 
| false | | =p = no 7p 


If m <> nis true then <>< yields a proof that m < n holds, 
while if it is false then <><» takes a proof that m < n holds into 
a contradiction. 


The triple binding of the with clause in this proof is essential. If 
instead we wrote: 


—<?"_ : V (mn: N) = Dec (m < n) 
m <2?" n with m <?n 


| true yes 


(<P< mon tt) 
| false = no (<-> 


<P {m} {n}) 
then Agda would make two complaints, one for each clause: 


T !=< (T (m <> n)) of type Set 
when checking that the expression tt has type T 
(m <P n) 


T (m <> n) !=< L of type Set 
when checking that the expression <-<> {m} {n} 
has type 7" m<n 


Putting the expressions into the with clause permits Agda to ex- 
ploit the fact that T (m <> n) is T when m <? n is true, and 
that T (m <> n) is L when m <? nis false. 


However, overall it is simpler to just define _<?_ directly, as in 
the previous section. If one really wants _<? _, then it and its 


properties are easily derived from _<?_, as we will now show. 


|_|] : V {A : Set} + Dec A = Bool 


| yes x ] = true 

| no =x | = false 
_s>’ : NN >= Bool 
ms>’ n = | ms?n ] 


toWitness : V {A : Set} {D : Dec A} > TIL DIA 
toWitness {A} {yes x} tt = x 
toWitness {A} {no -x} () 


fromwitness : V {A : Set} {D : Dec A} > A-TID ] 
fromWitness {A} {yes x} _ GE 
fromWitness {A} {no -x} x 


<>’os : V{mn: N} > T (m s®’ n) omen 
<>’s< = toWitness 


xs’ : Vimn:N} >mesn-T (ms>’ n) 
<->’ = fromWitness 


In summary, it is usually best to eschew booleans and rely on de- 
cidables. If you need booleans, they and their properties are eas- 
ily derived from the corresponding decidables. 


Logical connectives 


Most readers will be familiar with the logical connectives for 
booleans. Each of these extends to decidables. 


infixr 6 A_ 


A: Bool = Bool = Bool 


true A true = true 
false A _ = false 
A false = false 


In Emacs, the left-hand side of the third equation displays in 
grey, indicating that the order of the equations determines which 
of the second or the third can match. However, regardless of 
which matches the answer is the same. 


infixr 6 _x-dec_ 


_x-dec_ : V {A B: Set} - Dec A = Dec B > Dec (A x B) 
yes x x-dec yes y = yes (x,y) 
no =x x-dec _ no A{ (x,y )77x x } 

x-dec no -y=noA{ (x,y)>-7yy } 


The conjunction of two propositions holds if they both hold, and 
its negation holds if the negation of either holds. If both hold, 
then we pair the evidence for each to yield evidence of the con- 
junct. If the negation of either holds, assuming the conjunct will 
lead to a contradiction. 


Again in Emacs, the left-hand side of the third equation displays 
in grey, indicating that the order of the equations determines 
which of the second or the third can match. This time the answer 
is different depending on which matches; if both conjuncts fail to 
hold we pick the first to yield the contradiction, but it would be 
equally valid to pick the second. 


infixr 5 v_ 


v: Bool = Bool = Bool 


true v _ = true 
= v true = true 
false v false = false 


In Emacs, the left-hand side of the second equation displays in 
grey, indicating that the order of the equations determines which 
of the first or the second can match. However, regardless of 
which matches the answer is the same. 


infixr 5 W-dec_ 


_y-dec_ : V {A B: Set} - Dec A = Dec B = Dec (A WU B) 

yes X W-dec _ yes (inji x) 

_ W-dec yes y = yes (inj2 y) 

no =x W-dec no -y = no A{ (inji xX) > =x x ; (injz y) > -y y } 


The disjunction of two propositions holds if either holds, and its 
negation holds if the negation of both hold. If either holds, we in- 
ject the evidence to yield evidence of the disjunct. If the negation 
of both hold, assuming either disjunct will lead to a contradic- 
tion. 


Again in Emacs, the left-hand side of the second equation dis- 
plays in grey, indicating that the order of the equations deter- 
mines which of the first or the second can match. This time the 
answer is different depending on which matches; if both dis- 
juncts hold we pick the first, but it would be equally valid to pick 
the second. 


not : Bool — Bool 
not true false 
not false = true 


=? : V {A : Set} - Dec A = Dec (- A) 
3? (yes x) no (-7-intro x) 
3? (no 7x) yes -X 


We simply swap yes and no. In the first equation, the right-hand 


side asserts that the negation of —~ A holds, in other words, that 
-+ - A holds, which is an easy consequence of the fact that A 
holds. 


_>_ : Bool = Bool - Bool 


_ > true = true 
false > | = true 
true > false = false 


One boolean implies another if whenever the first is true then the 
second is true. Hence, the implication of two booleans is true if 
the second is true or the first is false, and false if the first is true 
and the second is false. In Emacs, the left-hand side of the second 
equation displays in grey, indicating that the order of the equa- 
tions determines which of the first or the second can match. 
However, regardless of which matches the answer is the same. 


_>-dec_ : V {AB : Set} - Dec A = Dec B = Dec (A = B) 
_ >-dec yes y yes (A_ => y) 

no =X »-dec _ yes (A x > L-elim (-x x)) 

yes x »-dec no -y no (A f > -y (f x)) 


The implication holds if either the second holds or the negation 
of the first holds, and its negation holds if the first holds and the 
negation of the second holds. Evidence for the implication is a 
function from evidence of the first to evidence of the second. If 
the second holds, the function returns the evidence for it. If the 
negation of the first holds, the function takes the evidence of the 
first and derives a contradiction. If the first holds and the nega- 
tion of the second holds, given evidence of the implication we 
must derive a contradiction; we apply the evidence of the impli- 
cation f to the evidence of the first x, yielding a contradiction 
with the evidence ~y of the negation of the second. 


Again in Emacs, the left-hand side of the second equation dis- 
plays in grey, indicating that the order of the equations deter- 
mines which of the first or the second can match. This time the 
answer is different depending on which matches; but either is 
equally valid. 


Exercise erasure (practice) 


postulate 


A-x : V {AB : Set} (x : Dec A) (y : Dec B) >| x Jaly] 
v-y : V {AB : Set} (x : Dec A) (y : Dec B) >| x J vly] 
not-- : V {A : Set} (x : Dec A) > not | x ]=I[-7? x J 


Exercise iff-erasure (recommended) 


postulate 
_iff_ : Bool - Bool - Bool 
_e-dec_ : V {AB : Set} > Dec A = Dec B = Dec (A & B) 
iff-° : V {AB : Set} (x : Dec A) (y : Dec B) > | x | iff | 


-- Your code goes here 


Proof by reflection 


Let’s revisit our definition of monus from Chapter Naturals. If we 
subtract a larger number from a smaller number, we take the re- 
sult to be zero. We had to do something, after all. What could we 
have done differently? We could have defined a guarded version 
of minus, a function which subtracts n from monly if n < m: 


minus m zero = m 
minus (suc m) (suc n) (sss nsm) = minus mn nsm 


minus : (mn: N) (nsm: nsm) oN 
Unfortunately, it is painful to use, since we have to explicitly 
provide the proof that n < m: 


_ : minus 5 3 (sss (sss (SsS zsn))) = 2 
_=refl 


We cannot solve this problem in general, but in the scenario 
above, we happen to know the two numbers statically. In that 
case, we can use a technique called proof by reflection. Essen- 
tially, we can ask Agda to run the decidable equality n <? m 
while type checking, and make sure that n < m! 


We do this by using a feature of implicits. Agda will fill in an im- 


plicit of a record type if it can fill in all its fields. So Agda will al- 
ways manage to fill in an implicit of an empty record type, since 
there aren’t any fields after all. This is why T is defined as an 
empty record. 


The trick is to have an implicit argument of the type T L n <? 
m J. Let’s go through what this means step-by-step. First, we run 
the decision procedure, n <? m. This provides us with evidence 
whether n < m holds or not. We erase the evidence to a bool- 
ean. Finally, we apply T. Recall that T maps booleans into the 
world of evidence: true becomes the unit type T, and false 
becomes the empty type LL. Operationally, an implicit argument 
of this type works as a guard. 


* If n < mholds, the type of the implicit value reduces to 
T. Agda then happily provides the implicit value. 

* Otherwise, the type reduces to 1, which Agda has no 
chance of providing, so it will throw an error. For instance, 
if we call 3 - 5 weget _n<m_254 : L. 


We obtain the witness for n < musing toWitness, which we 
defined earlier: 


- : (mn: N) {nsm: T 1 ns? m J} ON 


_-_ mn {nsm} = minus mn (toWitness nsm) 


We can safely use _-_ as long as we statically know the two 
numbers: 

_ftb=eS3e2 

_=refl 


It turns out that this idiom is very common. The standard library 
defines a synonym for T L ? | called True: 


Exercise False (practice) 


Give analogues of True, toWitness, and fromWitness 
which work with negated properties. Call these False, 
toWitnessFalse, and fromWitnessFalse. 


Standard Library 


import Data.Bool.Base using (Bool; true; false; T; A; v_; not) 
import Data.Nat using (_s?_) 

import Relation.Nullary using (Dec; yes; no) 

import Relation.Nullary.Decidable using (|_|; True; toWitness; fromb 
import Relation.Nullary.Negation using (-?) 

import Relation.Nullary.Product using (_x-dec_ ) 

import Relation.Nullary.Sum using (_W-dec_) 

import Relation.Binary using (Decidable) 


Unicode 


U+2227 LOGICAL AND (\and, \wedge) 
U+2228 LOGICAL OR (\or, \vee) 

U+2283 SUPERSET OF (\sup) 

U+1D47 MODIFIER LETTER SMALL B (\*%b) 
U+230A LEFT FLOOR (\cl1L) 

U+230B RIGHT FLOOR (\c1R) 


tL—-t O3U< > 


Lists are defined in Agda as follows: For example, As we’ve seen, 
parameterised types can be translated to indexed types. The defi- 
nition above is equivalent to the following:Each constructor takes 
the parameter as an implicit argument. Thus, our example list 
could also be written: We can write lists more conveniently by 
introducing the following definitions: Here is an example, show- 
ing how to compute the result of appending two lists: We can 
reason about lists in much the same way that we reason about 
numbers. Here is the proof that append is associative: It is also 
easy to show that [] is a left and right identity for _++_. That 
it is a left identity is immediate from the definition:That it is a 
right identity follows by simple induction: Our next function 
finds the length of a list: Here is an example showing how to 
compute the length of a list: The length of one list appended to 
another is the sum of the lengths of the lists: Using append, it is 
easy to formulate a function to reverse a list: Here is an example 
showing how to reverse a list: The definition above, while easy 
to reason about, is less efficient than one might expect since it 
takes time quadratic in the length of the list. The idea is that we 
generalise reverse to take an additional argument: Shunt is re- 
lated to reverse as follows: Having defined shunt by generalisa- 
tion, it is now easy to respecialise to give a more efficient defini- 
tion of reverse:Given our previous lemma, it is straightforward to 
show the two definitions equivalent:Here is an example showing 
fast reverse of the list [ 0 , 1 , 2 ]: Map applies a function 
to every element of a list to generate a corresponding list. Map is 
an example of a higher-order function, one which takes a function 
as an argument or returns a function as a result: Here is an exam- 
ple showing how to use map to increment every element of a list: 
It is often convenient to exploit currying by applying map to a 
function to yield a new function, and at a later point applying 
the resulting function: Define a type of trees with leaves of type 
A and internal nodes of type B: Fold takes an operator and a 
value, and uses the operator to combine each of the elements of 
the list, taking the given value as the result for the empty list: 
Here is an example showing how to use fold to find the sum of a 
list: It is often convenient to exploit currying by applying fold to 
an operator and a value to yield a new function, and at a later 
point applying the resulting function: Define a function that 


counts down as follows:For example: We can define a monoid as 
a suitable record type:As examples, sum and zero, multiplication 
and one, and append and the empty list, are all examples of 
monoids:If _® and e form a monoid, then we can re-express 
fold on the same operator and an arbitrary value:In a previous 
exercise we showed the following.As a consequence we can de- 
compose fold over append in a monoid into two folds as follows. 
Predicate All P holds if predicate P is satisfied by every ele- 
ment of a list: For example, All (_< 2) holds of a list where 
every element is less than or equal to two. Recall that z<n 
proves zero < n for any n, and that if m<n proves m < n 
then s<s m<n proves suc m < suc n, for any mand n: 
Predicate Any P holds if predicate P is satisfied by some ele- 
ment of a list:The first constructor provides evidence that the 
head of the list satisfies P, while the second provides evidence 
that some element of the tail of the list satisfies P. For example, 
we can define list membership as follows:For example, zero is an 
element of the list [ 0 , 1 , 0 , 2 J. Indeed, we can 
demonstrate this fact in two different ways, corresponding to the 
two different occurrences of zero in the list, as the first element 
and as the third element:Further, we can demonstrate that three 
is not in the list, because any possible proof that it is in the list 
leads to contradiction: A predicate holds for every element of one 
list appended to another if and only if it holds for every element 
of both lists: If we consider a predicate as a function that yields a 
boolean, it is easy to define an analogue of A11, which returns 
true if a given predicate returns true for every element of a list: 
As one would hope, if we replace booleans by decidables there is 
again an analogue of A11. First, return to the notion of a predi- 
cate P asa function of type A > Set, taking a value x of type 
A into evidence P x that a property holds for x. Say that a 
predicate P is decidable if we have a function that for a given x 
can decide P x:Then if predicate P is decidable, it is also decid- 
able whether every element of a list satisfies the predicate: The 
relation merge holds when two lists merge to give a third 
list.For example, Definitions similar to those in this chapter can 
be found in the standard library: 


Lists: Lists and higher-order functions 


module plfa.partl.Lists where 


This chapter discusses the list data type. It gives further examples 
of many of the techniques we have developed so far, and pro- 
vides examples of polymorphic types and higher-order functions. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 
open Eq using ( = ; refl; sym; trans; cong) 
open Eq.=-Reasoning 
open import Data.Bool using (Bool; true; false; T; A; v_; not) 
open import Data.Nat using (N; zero; suc; +; *; +; sj; SsS; z 
open import Data.Nat.Properties using 

(+-assoc; +-identity!; +-identity"; *-assoc; *-identity'; *-identi 
open import Relation.Nullary using (-_; Dec; yes; no) 
open import Data.Product using (_x ; 4; d-syntax) renaming ( ,_ to ( 
open import Function using ( ° ) 


open import Level using (Level) 
open import plfa.partl.Isomorphism using (=; @ ) 


Lists 


data List (A : Set) : Set where 
[] : List A 
no: A-List A-List A 


infixr 5 on 


Let’s unpack this definition. If A is a set, then List A isa set. 
The next two lines tell us that [] (pronounced nil) is a list of 
type A (often called the empty list), and that _::_ (pronounced 
cons, short for constructor) takes a value of type A and a value of 
type List A and returns a value of type List A. Operator 


_::_ has precedence level 5 and associates to the right. 


. ? Last 


iN 
_=0 aa 


Lin22 [] 
denotes the list of the first three natural numbers. Since _::_ as- 
sociates to the right, the term parses as 0 :: (1 :: (2 :: [])). 


Here 0 is the first element of the list, called the head, and 1 

(2 :: []) is a list of the remaining elements, called the tail. A 
list is a strange beast: it has a head and a tail, nothing in be- 
tween, and the tail is itself another list! 


data List’ : Set > Set where 
[]’ : V {A : Set} = List’ A 
mn’: VW {A : Set} - A > List’ A - List’ A 


_ : List N 
— = {NFO Ce {N} 1 (oe {NF 2 (LT) {N}))) 


where here we have provided the implicit parameters explicitly. 
Including the pragma: 
{-# BUILTIN LIST List #-} 


tells Agda that the type List corresponds to the Haskell type 
list, and the constructors [] and _::_ correspond to nil and cons 
respectively, allowing a more efficient representation of lists. 


List syntax 


pattern [ ]z=z: [] 

pattern [ , ]yz=yuzazen f[] 

pattern [ ,, ]}xyz=xuyuazeun [] 

pattern [_,,,I]wxyzZ=wuxuyuazen [] 

pattern[ , , ,, ]VwxyzZz=vuwhnxnyuazn [] 

pattern [_,,,,,]UVWXyYZ=UEVEWEX Rar ae |e 


This is our first use of pattern declarations. For instance, the 
third line tells us that [ x , y , z ] is equivalent to x :: y 

z :: [], and permits the former to appear either in a pattern 
on the left-hand side of an equation, or a term on the right-hand 
side of an equation. 


Append 


Our first function on lists is written _++_ and pronounced ap- 
pend: 


infixr 5 ++_ 


_++ : V {A : Set} > List A> List A> List A 
[] ++ yS = ys 
(xX = XS) +4 yS = X 8 (XS ++ ys) 


The type A is an implicit argument to append, making it a poly- 
morphic function (one that can be used at many types). A list ap- 
pended to the empty list yields the list itself. A list appended to a 
non-empty list yields a list with the head the same as the head of 
the non-empty list, and a tail the same as the other list appended 
to tail of the non-empty list. 


Appending two lists requires time linear in the number of ele- 
ments in the first list. 


Reasoning about append 


t++-assoc : V {A : Set} (xs ys zs : List A) 
> (xs ++ yS) ++ ZS = xS ++ (yS ++ ZS) 
++-assoc [] ys zs = 
begin 
([] ++ ys) ++ zs 
1} 


ys t+ zs 


[] ++ (ys ++ zs) 
g 
++-assoc (X =: XS) yS ZS = 


begin 
(xX = XS ++ yS) ++ ZS 
=() 
Xu (XS ++ yS) ++ ZS 
={} 
xu ((xS ++ yS) ++ ZS) 
=( cong (x ::_) (++-assoc xS ys ZS) ) 
Xn (xS ++ (yS ++ ZS)) 


Xu XS ++ (yS ++ ZS) 
| 


The proof is by induction on the first argument. The base case in- 
stantiates to [], and follows by straightforward computation. 
The inductive case instantiates to x :: xs, and follows by 
straightforward computation combined with the inductive hy- 
pothesis. As usual, the inductive hypothesis is indicated by a re- 
cursive invocation of the proof, in this case ++-assoc xs ys 
ZS. 


Recall that Agda supports sections. Applying cong (x ‘:_) pro- 
motes the inductive hypothesis: 


(xs ++ ys) ++ zs = xs ++ (ys ++ ZS) 
to the equality: 
Kit ((xs ++ ys) ++ zs) = x=} (xs ++ (ys ++ zs)) 


which is needed in the proof. 


++-identity' : V {A : Set} (xs : List A) > [] ++ xs = xs 
++-identity' xs = 


++-identity" : V {A : Set} (xs : List A) > xs + [] = xs 
++-identity" [] = 
begin 
[J] +e 0] 


++-identity" (x : xs) = 
begin 
(x : xs) ++ [] 


xu (xs ++ []) 

=( cong (x ::_) (++-identity" xs) ) 
X = XS 

| 


As we will see later, these three properties establish that _++_ 
and [] form a monoid over lists. 


Length 

length : V {A : Set} > List AON 
length [] = zero 

length (x : xs) = suc (length xs) 


Again, it takes an implicit parameter A. The length of the empty 
list is zero. The length of a non-empty list is one greater than the 
length of the tail of the list. 


_:length[0,1,2]#23 


length (0 :: 1: 2: []) 


suc (length (1 = 2 [])) 
=() 
suc (suc (length (2 :: []))) 


suc (suc (suc (length {N} []))) 
=|) 

suc (suc (Suc zero)) 
| 


Computing the length of a list requires time linear in the number 
of elements in the list. 


In the second-to-last line, we cannot write simply length [] 


but must instead write length {N} []. Since [] has no ele- 
ments, Agda has insufficient information to infer the implicit pa- 
rameter. 


Reasoning about length 


(xs ys : List A) 
> length (xs ++ ys length xs + length ys 
length-++ {A} [] ys 
begin 
length ([] ++ ys) 


length-++ : V {A : Set} 
)= 


length ys 
=() 
length {A} [] + length ys 
| 
length-++ (x : xs) ys = 
begin 


length ((x : xs) ++ ys) 


suc (length (xs ++ ys)) 
{ cong suc (length-++ xs ys) ) 
suc (length xs + length ys) 


length (x : xs) + length ys 
| 


The proof is by induction on the first argument. The base case in- 
stantiates to [], and follows by straightforward computation. As 
before, Agda cannot infer the implicit type parameter to 
length, and it must be given explicitly. The inductive case in- 
stantiates to x :: xs, and follows by straightforward computa- 
tion combined with the inductive hypothesis. As usual, the in- 
ductive hypothesis is indicated by a recursive invocation of the 
proof, in this case length-++ xs ys, and it is promoted by 
the congruence cong suc. 


Reverse 


reverse : V {A :: Set} > List A - List A 
reverse [] = if] 
reverse (xX :: xs) reverse xs ++ [ x ] 


The reverse of the empty list is the empty list. The reverse of a 
non-empty list is the reverse of its tail appended to a unit list 
containing its head. 


_: reverse [0,1,2]2[2,1,0] 


~ begin 
reverse (OQ: 1:2: []) 
=() 
reverse (li: 2: []) #+ [0 ] 


reverse (22 []) 4+ [1 ])) #109] 


(reverse [] + [2]) #1[11]1) #186] 


22 [—] #12 []) #O:8 [] 


n([] +4 12 []) # OO: [] 


Reversing a list in this way takes time quadratic in the length of 
the list. This is because reverse ends up appending lists of lengths 
1, 2, upto n - 1, where n is the length of the list being re- 
versed, append takes time linear in the length of the first list, and 
the sum of the numbers up to n - lis n * (n - 1) / 2. 
(We will validate that last fact in an exercise later in this chap- 
ter.) 


Exercise reverse-++—distrib (recommended) 


Show that the reverse of one list appended to another is the re- 
verse of the second appended to the reverse of the first: 


reverse (xs ++ ys) = reverse ys ++ reverse xs 
Exercise reverse-involutive (recommended) 


A function is an involution if when applied twice it acts as the 
identity function. Show that reverse is an involution: 


reverse (reverse xs) = xs 


Faster reverse 


shunt : V {A : Set} + List A> List A> List A 
shunt [] ys ys 
shunt (x #: xs) ys shunt xs (x =: ys) 


The definition is by recursion on the first argument. The second 
argument actually becomes larger, but this is not a problem be- 
cause the argument on which we recurse becomes smaller. 


shunt-reverse : V {A : Set} (xs ys : List A) 
~ shunt xs ys = reverse xs ++ ys 
shunt-reverse [] ys = 
begin 
shunt [] ys 
=() 
ys 
=() 
reverse [] ++ ys 
i 
shunt-reverse (xX !: xs) yS = 


shunt (x :: xs) ys 


shunt xs (x =: ys) 
=( shunt-reverse xs (x =: ys) } 
reverse xs ++ (x § ys) 


reverse xs ++ ([ x ] ++ ys) 
{ sym (++-assoc (reverse xs) [ x ] ys) ) 
(reverse xs ++ [ xX ]) ++ ys 


=() 
reverse (x !: xS) ++ ys 
a 


The proof is by induction on the first argument. The base case in- 
stantiates to [], and follows by straightforward computation. 
The inductive case instantiates to x :: xs and follows by the in- 
ductive hypothesis and associativity of append. When we invoke 
the inductive hypothesis, the second argument actually becomes 
larger, but this is not a problem because the argument on which 
we induct becomes smaller. 


Generalising on an auxiliary argument, which becomes larger as 
the argument on which we recurse or induct becomes smaller, is 
a common trick. It belongs in your quiver of arrows, ready to 
slay the right problem. 


reverse’ : V {A :: Set} >~ List A > List A 
reverse’ xs = shunt xs [] 


reverses : V {A : Set} (xs : List A) 
> reverse’ xs = reverse Xs 
reverses XS = 
begin 
reverse’ xs 


shunt xs [] 

( shunt-reverse xs [] ) 

reverse xs ++ [] 

=( ++-identity" (reverse xs) ) 
reverse xs 

| 


_: reverse’ [0,1,2]2[2,1,0] 


begin 
reverse’ (OQ :: 1: 2: []) 


shunt (0 :: 1:2: []) [] 
=() 
shunt (ar 2 [])) (6 Fy) 


shunt (2°: []) GQ# Oe 11) 


={} 
shunt [] (2:3: 1 0: []) 


22 1 he 


Now the time to reverse a list is linear in the length of the list. 
Map 


map : V {AB : Set} = (A > B) = List A > List B 
map f [] = [] 
map f (x : xs) = fx: map f xs 


Map of the empty list is the empty list. Map of a non-empty list 
yields a list with head the same as the function applied to the 
head of the given list, and tail the same as map of the function 
applied to the tail of the given list. 


: map suc [0,1,2]2[1,2,3] 


nop suc (Gur Le 22 [)) 

suc 0 :: map suc (1 3: 2: []) 

suc 9 3: Suc 1 :: map suc (2: []) 
suc @ :: suc 1 !: Suc 2 :: map suc [] 
suc 0 3: suc 1: suc 2: [] 


ae ae wae 


Map requires time linear in the length of the list. 


sucs : List N > List N 
sucS = Map SUC 


1 sles [0 ; De 2)Slaa2, 3] 


~ begin 


sucs [0,1, 2 ] 
=) 
map suc [0,1 ,2 ] 


[ape 3 ] 
1 


A type that is parameterised on another type, such as list, often 
has a corresponding map, which accepts a function and returns a 
function from the type parameterised on the domain of the func- 
tion to the type parameterised on the range of the function. Fur- 
ther, a type that is parameterised on n types often has a map that 
is parameterised on n functions. 


Exercise map-compose (practice) 


Prove that the map of a composition is equal to the composition 
of two maps: 


map (g ° f) = map g ° map f 


The last step of the proof requires extensionality. 


-- Your code goes here 


Exercise map-++—distribute (practice) 


Prove the following relationship between map and append: 


map f (xs ++ ys) = map f xs ++ map f ys 


-- Your code goes here 
Exercise map-—Tree (practice) 


data Tree (AB: Set) : Set where 
leaf : A - Tree AB 
node : Tree AB -B = Tree AB = Tree AB 


Define a suitable map operator over trees: 


map-Tree : V {A BCD: Set} ~- (A - C) > (B > D) 
> Tree A B > Tree C D 


-- Your code goes here 


Fold 


foldr : V {AB : Set} 
foldr @® e[] 
foldr @® e (x: xs) 


(A>B-B) >B- List A-B 
e 
x ® foldr @® e xs 


Wow os 


Fold of the empty list is the given value. Fold of a non-empty list 
uses the operator to combine the head of the list and the fold of 
the tail of the list. 


_: foldr + 0[1,2,3,4]#£10 


~ begin 
foldr + @ (1:28 32 45 []) 


1+ foldr + 0 (2238 4:8 []) 

+ (2+ foldr + 0 (3:4: [])) 
+ (2+ (3 + foldr + 0 (4: []))) 
+ (2 + (3 + (4+ foldr + 0 []))) 


+ (2 + (3 + (4 + 0))) 
Here we have an instance of foldr where A and B are both 
N. Fold requires time linear in the length of the list. 


sum : List N>N 
sum = foldr + 0 


foldr * O8[1;,2,;,23, 41] 
=) 

10 
1 


Just as the list type has two constructors, [] and _::_, so the 
fold function takes two arguments, e and _@_ (in addition to 
the list argument). In general, a data type with n constructors 
will have a corresponding fold function that takes n arguments. 


As another example, observe that 
foldr _::_ [] xs = xs 


Here, if xs is of type List A, then we see we have an instance 
of foldr where Ais Aand Bis List A. It follows that 


xs ++ ys = foldr _*!_ ys xs 


Demonstrating both these equations is left as an exercise. 
Exercise product (recommended) 


Use fold to define a function to find the product of a list of num- 
bers. For example: 


product [1, 2, 3, 4 ] = 24 
-- Your code goes here 
Exercise foldr—-—++ (recommended) 


Show that fold and append are related as follows: 


foldr _® e (xs ++ ys) = foldr _® (foldr _® _e 
ys) xs 


-- Your code goes here 


Exercise foldr-:: (practice) 


Show 
foldr _::_ [] xs = xs 
Show as a consequence of foldr-—++ above that 


xs ++ ys = foldr _**_ ys xs 


-- Your code goes here 


Exercise map—is—foldr (practice) 


Show that map can be defined using fold: 
map f = foldr (A x xs > f x: xs) [] 


The proof requires extensionality. 


-- Your code goes here 


Exercise fold-Tree (practice) 


Define a suitable fold function for the type of trees given earlier: 


fold-Tree : V {A BC: Set} ~- (A > C) ~- (C+ B- 
C +> C) ~ Tree ABC 


-- Your code goes here 


Exercise map—is—fold-Tree (practice) 


Demonstrate an analogue of map-is-—foldr for the type of 
trees. 


-- Your code goes here 
Exercise sum—downFronm (stretch) 


downFrom : N > List N 


downFrom zero 
downFrom (suc n) 


[] 


n :: downFrom n 


: downFrom 3 =[2,1,0 ] 


_=refl 

Prove that the sum of the numbers (n - 1) 
ton * (n+ 1) / 2: 

sum (downFrom n) * 2 =n * (n = 1) 


-- Your code goes here 


Monoids 


+ + + 0 is equal 


Typically when we use a fold the operator is associative and the 
value is a left and right identity for the operator, meaning that 


the operator and the value form a monoid. 


record IsMonoid {A : Set} ( @ : 
field 
assoc : V (x yz: A) > (x @y) 
identity! : V(x :A)7>e@xs 
identity" : V(x :A)7x@es 


open IsMonoid 


+-monoid : 
+-monoid = 
record 
{ assoc = 
; identity! 
; identity’ 
} 


*-monoid : 
*-monoid = 
record 

{ assoc = 


IsMonoid + 0 


#-aSSOc 


+-identity! 
+-identity’ 


IsMonoid * 1 


*-assoc 


; identity! = *-identity! 


; identity’ 
} 


*-identity" 


A>A=-A) 


(e : A) 


: Set where 


++-monoid : V {A : Set} +> IsMonoid {List A} ++ [] 
++-monoid = 
record 
{ assoc = ++-assoc 
; identity! = ++-identity! 
; identity’ = ++-identity’ 


} 


foldr-monoid : V {A : Set} (® :A-+A-A) (e: A) > IsMonoid @- 
VY (xs : List A) (y : A) = foldr _@® y xs =foldr ® exs@y 
foldr-monoid ® e ®-monoid [] y = 
begin 
foldr @ y [] 
=() 


y 
=( sym (identity! @-monoid y) ) 


(e @ y) 
=() 
foldr @® e[]@ey 
| 
foldr-monoid ® e ®-monoid (x :: xs) y = 
begin 


foldr @ y (x: xs) 


x ® (foldr @ y xs) 

=( cong (x @_) (foldr-monoid ® e ®-monoid xs y) } 
x ® (foldr @® e xs ® y) 

=( sym (assoc ®-monoid x (foldr ® e xs) y) }) 


(x @ foldr ® exs) @y 


foldr @® e (x: xs) @y 


postulate 
foldr-++ : V {A : Set} 


(® : A+A-A) (e: A) (xs ys : List A) 
foldr @ e (xs ++ ys) = 


foldr @ (foldr ® e ys) xs 


foldr-monoid-++ : V {A : Set} (@® :A-+A>-A) 
VY (xs ys : List A) = foldr @® e (xs ++ ys) = 
foldr-monoid-++ @ e monoid-® xs ys = 


e : A) - IsMonoid | 
oldr @ e xs ® fol 


foldr @ e (xs ++ ys) 
=( foldr-++ @ e xs ys ) 
foldr @ (foldr @® e ys) xs 


=( foldr-monoid ® e monoid-® xs (foldr @® e ys) ) 
foldr @ exs ® foldr ® eys 
i] 


Exercise foldl (practice) 


Define a function foldl which is analogous to foldr, but 
where operations associate to the left rather than the right. For 
example: 


] = x ® (y ® (z ® e)) 
] = ((e€ ® x) ®@y) ®z 


-- Your code goes here 


Exercise foldr-—monoid-fold1 (practice) 


Show that if _® and e form a monoid, then foldr _@®_ e 
and foldl _@_ e always compute the same result. 


-- Your code goes here 


All 


We can also define predicates over lists. Two of the most impor- 
tant are All and Any. 


data All {A : Set} (P : A > Set) : List A > Set where 
[] : ALLP [] 


 : VW {x : A} {xs : List A} > P x = ALL P xs = ALL P (x: 


The type has two constructors, reusing the names of the same 
constructors for lists. The first asserts that P holds for every ele- 
ment of the empty list. The second asserts that if P holds of the 
head of a list and for every element of the tail of a list, then P 
holds for every element of the list. Agda uses types to disam- 
biguate whether the constructor is building a list or evidence that 
All P holds. 


xs) 


Here _::_ and [] are the constructors of All P rather than of 
List A. The three items are proofs of 0 < 2, 1 < 2,and 2 < 
2, respectively. 


(One might wonder whether a pattern such as [_,_,_] can be 
used to construct values of type All as well as type List, since 
both use the same constructors. Indeed it can, so long as both 
types are in scope when the pattern is declared. That’s not the 
case here, since List is defined before [_,_,_], but All is 
defined later.) 


Any 


data Any {A : Set} (P : A = Set) : List A > Set where 
here : VW {x : A} {xs : List A} > P x = Any P (x :: xs) 
there : V {x : A} {xs : List A} > Any P xs => Any P (x :: xs) 
infix4 € ¢ 


—€ : V {A : Set} (x : A) (xs : List A) > Set 
x € xs = Any (x =_) xs 


€ : V {A : Set} (x : A) (xs : List A) > Set 


_~POele®, 2. O52] 
here refl 


>0E€[0,1,90,2] 
there (there (here refl)) 


not-in: 3€[0,1,0,2] 

not-in (here ()) 

not-in (there (here ())) 

not-in (there (there (here ()))) 

not-in (there (there (there (here ())))) 
not-in (there (there (there (there ())))) 


The five occurrences of () attest to the fact that there is no pos- 
sible evidence for 3 = 0, 3 = 1, 3 = 0, 3 = 2,and 3 & 
[], respectively. 


All and append 


All-t++-e : V {A : Set} {P : A > Set} (xs ys : List A) - 
ALL P (xs ++ ys) # (ALL P xs x All P ys) 
All-++-e xs yS = 


record 
{ to = to xs ys 
; from = from xs ys 
} 

where 


to : V {A : Set} {P : A > Set} (xs ys : List A) > 
ALL P (xs ++ ys) > (ALL P xs x ALL P ys) 
to [] ys Pys = { [] , Pys ) 
to (x =: xs) ys (Px :: Pxs++ys) with to xs ys Pxs++tys 
| ( Pxs , Pys ) = ( Px :: Pxs , Pys ) 


from : V { A: Set} {P : A > Set} (xs ys : List A) > 
All P xs x ALL P ys = All P (xs ++ ys) 
from [] ys ( [] , Pys ) = Pys 
from (x :: xs) ys ( Px : Pxs , Pys ) = Px: from xs ys ( Pxs , Pys 


Exercise Any-++-© (recommended) 


Prove a result similar to All-++-@, but with Any in place of 
All, and a suitable replacement for _x_. As a consequence, 
demonstrate an equivalence relating _© and _++_. 


-- Your code goes here 


Exercise Al1-—++-= (stretch) 


Show that the equivalence Al1-++-© can be extended to an 
isomorphism. 


-- Your code goes here 


Exercise ~Any@A117- (recommended) 
Show that Any and A11 satisfy a version of De Morgan’s Law: 


("_ ° Any P) xs @ All ("“_° P) xs 


(Can you see why it is important that here _°_ is generalised to 
arbitrary levels, as described in the section on universe polymor- 
phism?) 

Do we also have the following? 


("_ ° All P) xs @ Any (7"_° P) xs 


If so, prove; if not, explain why. 


-- Your code goes here 


Exercise ~Any=A11- (stretch) 


Show that the equivalence ~Any@Al117- can be extended to an 
isomorphism. You will need to use extensionality. 


-- Your code goes here 


Exercise Al1-v (practice) 
Show that All P xsisisomorphicto V x > x © xs > P x, 


-- You code goes here 


Exercise Any-—3i (practice) 


Show that Any P xs isisomorphicto i[ x ] (x © xs x P 
x). 


-- You code goes here 


Decidability of All 


all: V {A : Set} = (A = Bool) > List A = Bool 
all p = foldr a_ true © map p 


The function can be written in a particularly compact style by us- 
ing the higher-order functions map and foldr. 


Decidable : V {A : Set} > (A = Set) > Set 
Decidable {A} P = V (x: A) = Dec (P x) 


All? : V {A : Set} {P : A = Set} > Decidable P - Decidable (AlL1l P) 
ALL? P? [] = yes [] 

ALL? P? (x =: xs) with P? x 
ate yes (Px :: Pxs) 

no A{ (Px :: Pxs) > -=Px 
no A{ (Px :: Pxs) = -=Px 


If the list is empty, then trivially P holds for every element of 
the list. Otherwise, the structure of the proof is similar to that 
showing that the conjunction of two decidable propositions is it- 
self decidable, using _::_ rather than (_,_) to combine the evi- 
dence for the head and tail of the list. 


Exercise Any? (stretch) 

Just as All has analogues all and All? which determine 
whether a predicate holds for every element of a list, so does 
Any have analogues any and Any? which determine whether a 


predicate holds for some element of a list. Give their definitions. 


-- Your code goes here 
Exercise split (stretch) 


data merge {A : Set} : (xs ys zs : List A) > Set where 


merge [] [] [] 


left-:: : V {x xs ys zs} 


> merge xs ys zs 


right-:: : V {y xs ys zs} 
> merge xs ys Zs 


_ Pierre (2,411 2;, 3111425374) 
— = left-: (right-: (right-: (left-: []))) 


Given a decidable predicate and a list, we can split the list into 
two lists that merge to give the original list, where all elements 
of one list satisfy the predicate, and all elements of the other do 
not satisfy the predicate. 


Define the following variant of the traditional filter function 
on lists, which given a decidable predicate and a list returns a list 
of elements that satisfy the predicate and a list of elements that 
don’t, with their corresponding proofs. 


split : V {A : Set} {P : A = Set} (P? 
Decidable P) (zs : List A) 

> 4{[ xs ] 4[ ys ] ( merge xs ys zs x All P xs 
x All ("_° P) ys ) 


-- Your code goes here 


Standard Library 


import Data.List using (List; ++ _; length; reverse; map; foldr; dov 


import Data.List.Relation.Unary.All using (All; []; _:_) 

import Data.List.Relation.Unary.Any using (Any; here; there) 

import Data.List.Membership.Propositional using ( € ) 

import Data.List.Properties 
using (reverse-++-commute; map-compose; map-++-commute; foldr-++) 
renaming (mapIsFold to map-is-foldr) 

import Algebra.Structures using (IsMonoid) 

import Relation.Unary using (Decidable) 

import Relation.Binary using (Decidable) 


The standard library version of IsMonoid differs from the one 
given here, in that it is also parameterised on an equivalence re- 
lation. 


Both Relation.Unary and Relation.Binary define a ver- 
sion of Decidable, one for unary relations (as used in this 
chapter where P ranges over unary predicates) and one for bi- 
nary relations (as used earlier, where _<_ ranges over a binary 
relation). 


Unicode 


This chapter uses the following unicode: 


*} U+2237 PROPORTION (\::) 

@ U+t2297 CIRCLED TIMES (\otimes, \ox) 

© U+2208 ELEMENT OF (\in) 

¢ U+2209 NOT AN ELEMENT OF (\inn, \notin) 


Part 2: Programming Lan- 
guage Foundations 


And here it is formalised in Agda: Here are a couple of example 
terms: the natural number two and a function that adds naturals: 
As a second example, we use higher-order functions to represent 
natural numbers. In particular, the number n is represented by a 
function that accepts two arguments and applies the first n times 
to the second. This is called the Church representation of the natu- 
rals. Here are a few example terms: the Church numeral two, a 
function that adds Church numerals, and a function to compute 
successor: Some people find it annoying to write ~ "x" instead 
of x. We can make examples with lambda terms slightly easier 
to write by adding the following definitions: The definition of 
plus can now be written as follows: We define reflexive and 
transitive closure as a sequence of zero or more steps of the un- 
derlying relation, along lines similar to that for reasoning about 
chains of equalities in Chapter Equality: Alternatively, we might 
define reflexive and transitive closure directly as the smallest re- 
lation that includes — and is reflexive and transitive. We do so 
as follows: We start with a simple example. The Church numeral 
two applied to the successor function and zero yields the natural 
number two:Here is a sample reduction demonstrating that two 
plus two is four:And here is a similar sample reduction for 
Church numerals: Lookup is formalised as follows: Typing is for- 
malised as follows: Here is the above typing derivation for- 
malised in Agda:Here are the typings corresponding to comput- 
ing two plus two: And here are typings for the remainder of the 
Church example: The lookup relation T 3 x 8 A is functional, 
in that for each T and x there is at most one A such that the 
judgment holds: 


Lambda: Introduction to Lambda Calcu- 
lus 


module plfa.part2.Lambda where 


The lambda-calculus, first published by the logician Alonzo 
Church in 1932, is a core calculus with only three syntactic con- 
structs: variables, abstraction, and application. It captures the 


key concept of functional abstraction, which appears in pretty 
much every programming language, in the form of either func- 
tions, procedures, or methods. The simply-typed lambda calculus 
(or STLC) is a variant of the lambda calculus published by 
Church in 1940. It has the three constructs above for function 
types, plus whatever else is required for base types. Church had a 
minimal base type with no operations. We will instead echo 
Plotkin’s Programmable Computable Functions (PCF), and add op- 
erations on natural numbers and recursive function definitions. 


This chapter formalises the simply-typed lambda calculus, giving 
its syntax, small-step semantics, and typing rules. The next chap- 
ter Properties proves its main properties, including progress and 
preservation. Following chapters will look at a number of vari- 
ants of lambda calculus. 


Be aware that the approach we take here is not our recom- 
mended approach to formalisation. Using de Bruijn indices and 
intrinsically-typed terms, as we will do in Chapter DeBruijn, 
leads to a more compact formulation. Nonetheless, we begin with 
named variables and extrinsically-typed terms, partly because 
names are easier than indices to read, and partly because the de- 
velopment is more traditional. 


The development in this chapter was inspired by the correspond- 
ing development in Chapter Stlc of Software Foundations (Pro- 
gramming Language Foundations). We differ by representing con- 
texts explicitly (as lists pairing identifiers with types) rather than 
as partial maps (which take identifiers to types), which corre- 
sponds better to our subsequent development of DeBruijn nota- 
tion. We also differ by taking natural numbers as the base type 
rather than booleans, allowing more sophisticated examples. In 
particular, we will be able to show (twice!) that two plus two is 
four. 


Imports 


open import Data.Bool using (Bool; true; false; T; not) 
open import Data.Empty using (1; L-elim) 

open import Data.List using (List; =; []) 

open import Data.Nat using (N; zero; suc) 


open import Data.Product using (4-syntax; | 
open import Data.String using (String; = ) 
open import Data.Unit using (tt) 

open import Relation.Nullary using (Dec; yes; no; —_) 

open import Relation.Nullary.Decidable using (False; toWitnessFalse) 
open import Relation.Nullary.Negation using (7?) 

open import Relation.Binary.PropositionalEquality using (=; #; fF 


x_) 


Syntax of terms 


Terms have seven constructs. Three are for the core lambda cal- 
culus: 


* Variables ~ x 
- Abstractions A x > N 
* Applications L - M 


Three are for the naturals: 


* Zero ~ zero 
* Successor ~“suc M 
* Case case L [zero™> M |suc x PN ] 


And one is for recursion: 
* Fixpoint p x > M 


Abstraction is also called lambda abstraction, and is the construct 
from which the calculus takes its name. 


With the exception of variables and fixpoints, each term form ei- 
ther constructs a value of a given type (abstractions yield func- 
tions, zero and successor yield natural numbers) or deconstructs 
it (applications use functions, case terms use naturals). We will 
see this again when we come to the rules for assigning types to 
terms, where constructors correspond to introduction rules and 
deconstructors to eliminators. 


Here is the syntax of terms in Backus-Naur Form (BNF): 


L, M, N 23= 
x | Ax>n | L-eMm | 


~ zero | “suc M case L [zero™ M |]suc x » 


N] | 
px7mM 

Id : Set 

Id = String 


infix 5 X=_ 
infix 5S ps. 
infixl 7 —:_ 
infix 8 ‘suc_ 
infix 9 ~ 


data Term : Set where 


_ : Id - Term 

K => : Id - Term > Term 

ae : Term > Term > Term 

“zero : Term 

“suc. : Term > Term 

case [zero |suc = ] : Term > Term > Id > Term > Term 
= : Id - Term > Term 


We represent identifiers by strings. We choose precedence so that 
lambda abstraction and fixpoint bind least tightly, then applica- 
tion, then successor, and tightest of all is the constructor for vari- 
ables. Case expressions are self-bracketing. 


Example terms 


two : Term 
two = “suc ‘suc “zero 
plus : Term 
plus =p "+" = A "m" = XK "n" = 
case ~ "m" 
[zero> * "n" 


| suc On = “suc (~ Mera A » ca ; > “A! ) ] 


The recursive definition of addition is similar to our original defi- 
nition of _+_ for naturals, as given in Chapter Naturals. Here 
variable “m” is bound twice, once in a lambda abstraction and 
once in the successor branch of the case; the first use of “m” 
refers to the former and the second to the latter. Any use of “m” 


in the successor branch must refer to the latter binding, and so 
we say that the latter binding shadows the former. Later we will 
confirm that two plus two is four, in other words that the term 


plus + two - two 


reduces to “suc *suc ~suc ‘suc ~*~ zero. 


twos : Term 
two° = X New = X a = 7 High ‘ (~ ig 7 * no) 


plus* : Term 
plus‘ = Xx Nit ss Xx al zx Xx Hel oe Xx Tr = 
= Nig és * vet A (7 a . * ite ‘i * we) 


suc® : Term 
succ = X "n" = ‘suc (* "n") 


The Church numeral for two takes two arguments s and z and 
applies s twice to z. Addition takes two numerals mand n, a 
function s and an argument z, and it uses mto apply s to the 
result of using nto apply sto z; hence s is applied m plus n 
times to z, yielding the Church numeral for the sum of m and 
n. For convenience, we define a function that computes succes- 
sor. To convert a Church numeral to the corresponding natural, 
we apply it to the suc‘ function and the natural number zero. 
Again, later we will confirm that two plus two is four, in other 
words that the term 


plus + two - two - suc® + “zero 


reduces to ~suc *suc ~suc ~suc ~ zero. 

Exercise mul (recommended) 

Write out the definition of a lambda term that multiplies two 
natural numbers. Your definition may use plus as defined ear- 


lier. 


-- Your code goes here 


Exercise mul‘ (practice) 


Write out the definition of a lambda term that multiplies two 
natural numbers represented as Church numerals. Your definition 
may use plus‘ as defined earlier (or may not — there are nice 
definitions both ways). 


-- Your code goes here 
Exercise primed (stretch) 


var? : (t : Term) > Bool 
true 
false 


KX’ = : (t : Term) = {_ : T (var? t)} > Term > Term 
K’ = (~x)N=Xx-2N 


case’ [zero=_|suc = ] : Term > Term > (t : Term) > {_ : T (var? t)} 


case’ L [zero> M |suc (~ x) »N] = case L [zero= M |suc x =N ] 
uo =: (t : Term) = {_ : T (var? t)} > Term > Term 
uw’ (x) =N = pen 


Recall that T is a function that maps from the computation 
world to the evidence world, as defined in Chapter Decidable. 
We ensure to use the primed functions only when the respective 
term argument is a variable, which we do by providing implicit 
evidence. For example, if we tried to define an abstraction term 
that binds anything but a variable: 


Term 
_ = K' two > two 


Agda would complain it cannot find a value of the bottom type 
for the implicit argument. Note the implicit argument’s type re- 
duces to 1 when term t is anything but a variable. 


plus’ : Term 
plus’ =w’ +> %’ m=%X' na 
case’ m 


[zero= n 
Jsuc m > ‘suc (++ m-=n) ] 


where 
ne = ma 
m = * wT ls 


$ 1 n " 
Write out the definition of multiplication in the same style. 
Formal vs informal 


In informal presentation of formal semantics, one uses choice of 
variable name to disambiguate and writes x rather than ~ x for 
a term that is a variable. Agda requires we distinguish. 


Similarly, informal presentation often use the same notation for 
function types, lambda abstraction, and function application in 
both the object language (the language one is describing) and the 
meta-language (the language in which the description is written), 
trusting readers can use context to distinguish the two. Agda is 
not quite so forgiving, so here we use A x > Nand L - M for 
the object language, as compared to A x > Nand L Min our 
meta-language, Agda. 


Bound and free variables 


In an abstraction A x > Nwecall x the bound variable and N 
the body of the abstraction. A central feature of lambda calculus 
is that consistent renaming of bound variables leaves the mean- 
ing of a term unchanged. Thus the five terms 


r WN Wow => WN wow > > Wom, (- Wom . woM) 
a WN we => WN Wy" > S Wem, (- wewo. Wy") 
“A "sam" > A "zelda" > > "sam" - (> "sam" 
~ "zelda") 
F WN WoW => WN Wow > > MoM, (- WoW. Wot) 
oi "@" > WN wn @" => * "@" 2 (- "@" 
a ) 


are all considered equivalent. Following the convention intro- 
duced by Haskell Curry, who used the Greek letter o (alpha) to 


label such rules, this equivalence relation is called alpha renam- 
ing. 


As we descend from a term into its subterms, variables that are 
bound may become free. Consider the following terms: 


‘é WN Wow > WN WoW > > Wom, (> Wom . wo") has 
both s and z as bound variables. 


e WN A Wo a (- Wo ‘ = "7") has z bound 
and s free. 

e > MyM. (o Mgt. + "Z") has both s and z as free 
variables. 


We say that a term with no free variables is closed; otherwise it is 
open. Of the three terms above, the first is closed and the other 
two are open. We will focus on reduction of closed terms. 


Different occurrences of a variable may be bound and free. In the 
term 


(A Wy > > Msg) ‘“ ™ Wy 


the inner occurrence of x is bound while the outer occurrence is 
free. By alpha renaming, the term above is equivalent to 


(A myn — "y") % > Wy" 


in which y is bound and x is free. A common convention, called 
the Barendregt convention, is to use alpha renaming to ensure that 
the bound variables in a term are distinct from the free variables, 
which can avoid confusions that may arise if bound and free 
variables have the same names. 


Case and recursion also introduce bound variables, which are 
also subject to alpha renaming. In the term 


u wan = WN Mm" => WN mm => 
case ~ "m" 
[zero> ~*~ "n" 
|suc "™™™ > suc (> MEM 2 > Mmm 2 yyy) J 


notice that there are two binding occurrences of m, one in the 
first line and one in the last line. It is equivalent to the following 
term, 


v1 "plus" > WN Wy => WN myn > 


case ~ "x" 
[zero> ~ "yn" 
| suc "y'" > suc (> "plus" 2. Wyrm ys "y") 


] 


where the two binding occurrences corresponding to m now 
have distinct names, x and x’. 


Values 


A value is a term that corresponds to an answer. Thus, ~ suc 
“suc ~suc ‘suc *zero is a value, while plus - two 
two is not. Following convention, we treat all function abstrac- 
tions as values; thus, plus by itself is considered a value. 


The predicate Value Mholds if term M is a value: 


data Value : Term > Set where 


V-X : VW {x N} 


Value “zero 


V-suc : V {V} 
~ Value V 


~ Value (‘suc V) 
In what follows, we let V and W range over values. 
Formal vs informal 


In informal presentations of formal semantics, using Vv as the 


name of a metavariable is sufficient to indicate that it is a value. 
In Agda, we must explicitly invoke the Value predicate. 


Other approaches 


An alternative is not to focus on closed terms, to treat variables 
as values, and to treat A x > Nasa value only if N is a value. 
Indeed, this is how Agda normalises terms. We consider this ap- 
proach in Chapter Untyped. 


Substitution 


The heart of lambda calculus is the operation of substituting one 
term for a variable in another term. Substitution plays a key role 
in defining the operational semantics of function application. For 
instance, we have 


(A Won > WN A Wow. (> Wom. Wo) ) 
suc® + *zero 
-_ 
(A "2" > suck + (suct - > "zZ")) + ‘zero 
-_ 
suc® + (suc® + * zero) 
where we substitute suc‘ for ~ "s" and *zero for ~ "z" in 


the body of the function abstraction. 


We write substitution as N [ x := V ], meaning “substitute 
term v for free occurrences of variable x in term N”, or, more 
compactly, “substitute v for x in N”, or equivalently, “in N re- 
place x by v”. Substitution works if v is any closed term; it 
need not be a value, but we use V since in fact we usually substi- 
tute values. 


Here are some examples: 


é (A mom => Ss Won, (CC Wom . m7) ) [ Wom 2a 
suc® ] yields A "Zz" > suc® + (suc® + > "z"), 
* (suc + (suc - > "z")) [ "z" := ‘zero ] yields 


suc® + (suc® + *° zero). 


e (A Wem > > Wy") [ "yn" ‘= ‘zero ] yields WN Wy" 


> * zero. 

e (A WM > > x") [ Wy" = ‘zero ] yields WN Wy" 
> > Wy 

e (A "yn" > > Wy") [ "yx" += ‘zero ] yields WN myn 
=> > sae 


In the last but one example, substituting * zero for xin A "x" 
=> ~ "x" does not yield A "x" => ~ zero, since x is bound in 
the lambda abstraction. The choice of bound names is irrelevant: 
both A "x" > > "x" and A "y" > ~ "y" stand for the 
identity function. One way to think of this is that x within the 
body of the abstraction stands for a different variable than x out- 
side the abstraction, they just happen to have the same name. 


We will give a definition of substitution that is only valid when 
the term substituted for the variable is closed. This is because 
substitution by terms that are not closed may require renaming of 
bound variables. For example: 


° (A Wy" > ty Wy" . % "y") [ wy" = © Wy" 
~ zero] should not yield 
(A Wy" > » Ws" 's (- Wy" a Y Zero) ) ‘ 


Instead, we should rename the bound variable to avoid capture: 


e (A Ws" > is Ws" 2 * "y") [ Wye — ¥ Wy" 
‘zero ] should yield 
WN Wt M => Y Myr, (> WM ~zero). 


Here x’ is a fresh variable distinct from x. Formal definition of 
substitution with suitable renaming is considerably more com- 
plex, so we avoid it by restricting to substitution by closed terms, 
which will be adequate for our purposes. 


Here is the formal definition of substitution by closed terms in 
Agda: 
infix 9 [ := ] 


_[.:=_] : Term - Id > Term > Term 
(~ x) [y :=V ] withx2y 


| yes =V 
J} no _ =~ xX 
(Xx =N) [ y :=V ] with x 2y 
| yes =XKx-N 
. | no _ =XKxeN[y:=V] 
(iL MYL y:=V] =L[Ty:=V]-M[Ey:=V ] 
(zero) [ y :=V ] = “zero 
(‘suc M) [ y :=V ] = ‘sucM[ y :=V ] 
(case L [zero> M |suc x = N ]) [ y := V ] withx 4y 
. | yes _ = case L [ y :=V_ ] [zero> M[ y := V ] |Suc x = 
sce [RO = case L [ y :=V ] [zero> M[ y := V ] |Suc x = 
(ux =>=N) [ y :=V ] with x 2y 
| yes _ =ux-N 
| no =uxe=N[yi:eV] 


Let’s unpack the first three cases: 


* For variables, we compare y, the substituted variable, 
with x, the variable in the term. If they are the same, we 
yield v, otherwise we yield x unchanged. 


For abstractions, we compare y, the substituted variable, 
with x, the variable bound in the abstraction. If they are 
the same, we yield the abstraction unchanged, otherwise 
we substitute inside the body. 


For application, we recursively substitute in the function 
and the argument. 


Case expressions and recursion also have bound variables that 
are treated similarly to those in lambda abstractions. Otherwise 
we simply push substitution recursively into the subterms. 


Examples 


Here is confirmation that the examples above are correct: 


_ : (x Nd xs * Mel ; (~ Me - na) [ tee ‘= succ® ] 
= XK rd u = sUuCS é (suc¢ . * no) 
_=refl 
: (oue® + (sauce = * z")) | "2" se “zera | = sum? + (Suc / 


= refl 


“zero) 


" : (x as my) [ hye = ‘zero ] = X Mie 25 ‘zero 

_=refl 

7 : (x nt ny") [ au = ‘zero ] = X os 24 a Hse 

_=refl 

= : (x Baye "y") [ Ly ad = ‘zero ] = X my a > Nye 
= refl 


Quiz 


What is the result of the following substitution? 


(A myn > Wy" (A Wy" => > MyM) ) [ Wy" = \zero 
] 

1. (A "Vy > Wo" (A Wy => MyM) ) 

2. (A "y" => el (A "x" = *zero)) 

3. (A "y" > zero - (A "x" 3 > ™x")) 

4. (A "y" > > zero (A "x" = ~ zero) ) 
Exercise _[_:=_]’ (stretch) 


The definition of substitution above has three clauses (A, case, 
and p) that invoke a with clause to deal with bound variables. 
Rewrite the definition to factor the common part of these three 
clauses into a single function, defined by mutual recursion with 
substitution. 


-- Your code goes here 


Reduction 


We give the reduction rules for call-by-value lambda calculus. To 
reduce an application, first we reduce the left-hand side until it 
becomes a value (which must be an abstraction); then we reduce 
the right-hand side until it becomes a value; and finally we sub- 
stitute the argument for the variable in the abstraction. 


In an informal presentation of the operational semantics, the 


rules for reduction of applications are written as follows: 


Te Ie 

E--141 
L:->M-—- tL’ -M 
M — M’ 

E--2 
VeM—-3>V-:- M! 

B-A 

(Ax >N) + VN OE x:t=V] 


The Agda version of the rules below will be similar, except that 
universal quantifications are made explicit, and so are the predi- 
cates that indicate which terms are values. 


The rules break into two sorts. Compatibility rules direct us to re- 
duce some part of a term. We give them names starting with the 
Greek letter € (xi). Once a term is sufficiently reduced, it will 
consist of a constructor and a deconstructor, in our case A and 
-, which reduces directly. We give them names starting with the 
Greek letter 8 (beta) and such rules are traditionally called beta 
rules. 


A bit of terminology: A term that matches the left-hand side of a 
reduction rule is called a redex. In the redex (A x > N) - V, 
we may refer to x as the formal parameter of the function, and v 
as the actual parameter of the function application. Beta reduction 
replaces the formal parameter by the actual parameter. 


If a term is a value, then no reduction applies; conversely, if a re- 
duction applies to a term then it is not a value. We will show in 
the next chapter that this exhausts the possibilities: every well- 
typed term either reduces or is a value. 


For numbers, zero does not reduce and successor reduces the 
subterm. A case expression reduces its argument to a number, 
and then chooses the zero or successor branch as appropriate. A 
fixpoint replaces the bound variable by the entire fixpoint term; 
this is the one case where we substitute by a term that is not a 


value. 

Here are the rules formalised in Agda: 
infix 4 —_ 

data — _: Term > Term > Set where 


E--1 : V {L L’ M} 
-L—L’ 


~ Value V 


B-X : V {x N V} 
~ Value V 


> “suc M — “suc M’ 


E-case : V {x LL’ M N} 
-L—oL’ 


> case L [zero= M |suc x > N ] — case L’ [zero> M |suc x = N ] 


B-zero : V {x M N} 


> case “zero [zero> M |suc x > N ] —M 


B-suc : V {x V M N} 
> Value V 


The reduction rules are carefully designed to ensure that sub- 
terms of a term are reduced to values before the whole term is 
reduced. This is referred to as call-by-value reduction. 


Further, we have arranged that subterms are reduced in a left-to- 
right order. This means that reduction is deterministic: for any 
term, there is at most one other term to which it reduces. Put an- 
other way, our reduction relation — is in fact a function. 


This style of explaining the meaning of terms is called a small- 
step operational semantics. If M —> N, we say that term M reduces 
to term N, or equivalently, term M steps to term N. Each com- 
patibility rule has another reduction rule in its premise; so a step 
always consists of a beta rule, possibly adjusted by zero or more 
compatibility rules. 


Quiz 


What does the following term step to? 


(A Wy => Wy) (A Wy => Wy") ay 9990 
1 (A Wy => Wy) 
2 (A Wy => Wy) (A Wy => x") 
3 (A Wy > My) (A Wy => x") (A Wy" 


1 (A Wy => x) 
2 (A Wy => Wy) F (A Wy > > My) 
3 (A Wy" > > Wy) . (A a Wy") . (A Wy" 


What does the following term step to? (Where two‘ and suc‘ 
are as defined above.) 


twof - suc® + “zero —> ??? 


1. suc® - (suc® - *zero) 
2. (A "z" > suct + (suck + * "z")) + * zero 
3. > zero 


Reflexive and transitive closure 


A single step is only part of the story. In general, we wish to re- 
peatedly step a closed term until it reduces to a value. We do this 
by defining the reflexive and transitive closure —— of the step 
relation —. 


infix 2 -—»_ 
infix 1 begin_ 
infixr 2 —( ) 
infix 3 5 


data -—» : Term > Term > Set where 
8:VM 


{ |! 


begin. : V {M N} 
->M—N 


->M—N 
begin M—--N = M—-N 


We can read this as follows: 


* From term M, we can take no steps, giving a step of type 
M —> M.Itis written M HL. 


* From term L we can take a single step of type L —> M 
followed by zero or more steps of type M —> N, giving a 
step of type L —> N. It is written L —-( L--M ) M—>N, 
where L—-M and M——>N are steps of the appropriate type. 


The notation is chosen to allow us to lay out example reductions 
in an appealing way, as we will see in the next section. 


data _-—»’_ : Term > Term > Set where 


step’ : V {M N} 
~M—N 


refl’ : V {M} 


trans’ : V {L M N} 
>o>L—’M 
“N 


The three constructors specify, respectively, that —-' includes 
—~ and is reflexive and transitive. A good exercise is to show that 
the two definitions are equivalent (indeed, one embeds in the 
other). 


Exercise —~»<—~' (practice) 


Show that the first notion of reflexive and transitive closure 
above embeds into the second. Why are they not isomorphic? 


-- Your code goes here 


Confluence 


One important property a reduction relation might satisfy is to 
be confluent. If term 1L reduces to two other terms, M and N, 
then both of these reduce to a common term P. It can be illus- 
trated as follows: 


L 
— 


Here L, M, N are universally quantified while P is existentially 
quantified. If each line stands for zero or more reduction steps, 
this is called confluence, while if the top two lines stand for a 
single reduction step and the bottom two stand for zero or more 
reduction steps it is called the diamond property. In symbols: 


postulate 
confluence : V {L M N} 
>= ((L — M) x (L— N)) 


~ S| Po] (MP) (Ne PY) 


diamond : V {L M N} 
>= ((L —M) x (L—N)) 


=a P ] ((M=« P) » (N =« P)) 


The reduction system studied in this chapter is deterministic. In 
symbols: 


postulate 
deterministic : V {L M N} 
-L—M 
+L—oN 


It is easy to show that every deterministic relation satisfies the 
diamond and confluence properties. Hence, all the reduction sys- 
tems studied in this text are trivially confluent. 


Examples 


_ 1: twoc + sucS + “zero —» “suc “suc “zero 


begin 
twoc + suc* + “zero 
—( &-+1 (B-% V-%) ) 
(KX "z" = succ + (succ + *~ "z")) + “zero 
—( B-X V-zero }) 
suc® + (suc® + “zero) 
—+( E-+2 V-X (B-X V-zero) ) 
suc® + ‘suc “zero 
—( B-X (V-suc V-zero) ) 
“suc (suc “zero) 
| 


_ : plus - two + two —» “suc “suc “suc “suc “zero 


begin 
plus : two - two 
a Eta (G42. Ball). 


(x ihe a XK une = 


case ~ "m" [zero» ~ "n" |suc "m" + ‘suc (plus - ~ "m" = ~ "n") 
- two : two 
—( E-+1 (B-X (V-suc (V-suc V-zero))) ) 
(Kn = 
case two [zero» ~*~ "n" |suc "m" + ‘suc (plus + ~ "m" = *~ "n") J 
- two 


—( B-X (V-suc (V-suc V-zero)) } 
case two [zero=> two |suc "m" => ‘suc (plus - ~ "m" + two) ] 
—( B-suc (V-suc V-zero) ) 
“suc (plus + “suc “zero - two) 
—a{ E-siie (E+'4 (E-"4 B-u))) 
“suc ((KX "m" = XK "n" = 
case ~ "m" [zero» ~ "n" |suc "m" =» “suc (plus : ~ "m" + *~ "n") 
“suc “zero : two) 
—( &E-suc (&-+1 (B-X (V-suc V-zero))) } 
“suc ((A "n" = 
case ‘suc “zero [zero» ~ "n" |suc "m" =» “suc (plus + ~ "m" : 
- two) 
—( &-suc (B-X% (V-suc (V-suc V-zero))) ) 
“suc (case “suc “zero [zero» two |suc "m" =» “suc (plus : ~ "m" : 
—( &-suc (B-suc V-zero) } 
“suc “suc (plus + “zero : two) 
=a Eosue (E-sue (e-"4 (e-74 Bap))) 7 
“suc “suc ((X “m" = XK "n" = 
case ~ "m" [zero» ~ "n" |suc "m" + ‘suc (plus - ~ "m" = ~ "n") 
“zero + two) 


—( &-suc (&- 


“suc “suc ( 


case ‘zero [zero=> ~ 


- two) 


suc (€-+1 (B-X V-zero))) ) 
(X "n" = 


"n" [suc "m" =» “suc (plus + ~ "m" = 


—( &-suc (&-suc (B-A (V-suc (V-suc V-zero)))) ) 
“suc “suc (case “zero [zero two |suc "m" =» “suc (plus : 


—( &-suc (&- 


“suc (suc 
a 


begin 


(x ba (a = XK 

« twos 
= bes (Es 
(x 2 = XK 

* twos 
= Eta (Es 
(x a a Xx 


: plus* + twoc + twoc + succ : 


suc B-zero) ) 
(*suc (suc “zero))) 


a => XK Wig! = XK na = > Ma 5 
- twoc + suc® + “zero 


a (€-6a (D-% VeA))) 9 


Wet => Xx ze => two a hi Wet A 
- succ + ‘zero 

1 (B-% V-X)) ) 

wy" => two ‘ * We i ( two* | 


“zero —» “suc “suc “suc “suc 


(? une ao Nigh é 


Sgt Sg) 


~ unt 


si ha P 


“zero 


= Wg 


ae) 


. suc® . 


—i{ E-ia (Bex Van) } 


(KX "z" = twoc + succ + (twos : 


—( B-X V-zero ) 


twos + succ + (twoc : suc¢ : 


—3( §="a (B-% V-A) ) 
(XK "2" = suc® » (suce « 


at Ete Wen. (Bote: (Bea Vea) f 


K "z" =» succ =: (succ + 
E--2 V-X (B-X V-zero) ) 
K "z" =» succ + (succ : * 


KX “z" = suc® « (suc® « 


* ((X "z" = succ + 


E-+2 V-K (E-+2 V-X (B-% V-zero)) ) 


» * "Z7")) + “zero 


* succ « ~zero) 
(suc oso se a 
* (suc® + “zero)) 


* (“suc “zero)) 


* (“suc “suc zero) 


—( &-+2 V-X (B-X (V-suc V-zero)) } 
K "z" » succ + (succ : ~ 
B-X (V-suc (V-suc V-zero)) ) 
uc + (suc® + “suc “suc zero) 
—( E-+2 V-X (B-X% (V-suc (V-suc V-zero))) ) 
uc® + (‘suc ‘suc “suc “zero) 
—( B-X (V-suc (V-suc (V-suc V-zero))) ) 
“suc (*suc (‘suc (‘suc “zero))) 


In the next chapter, we will see how to compute such reduction 


sequences. 


Exercise plus—examp1le (practice) 


Write out the reduction sequence demonstrating that one plus 
one is two. 


-- Your code goes here 


Syntax of types 


We have just two types: 


* Functions, A > B 
¢ Naturals, ~N 


As before, to avoid overlap we use variants of the names used by 
Agda. 


Here is the syntax of types in BNF: 
A, B, C ::= A>BI|-N 


And here it is formalised in Agda: 


intixr Ys 


data Type : Set where 
=: Type > Type > Type 


“N : Type 


Precedence 


As in Agda, functions of two or more arguments are represented 
via currying. This is made more convenient by declaring _=_ to 
associate to the right and _-_ to associate to the left. Thus: 


© (NA CN) > CN FCN stands for (((N > *N) & 


((N => <N)). 
* plus - two - twostandsfor (plus - two) - two. 


Quiz 


+ What is the type of the following term? 


WN Wow > > Won 


n 


~ zero) 


oe ae DoE 


Give more than one answer if appropriate. 
* What is the type of the following term? 


(A Wow > sou 


n 
n 


~“zero)) + suc 


ON Bs NES 


Give more than one answer if appropriate. 
Typing 
Contexts 


While reduction considers only closed terms, typing must con- 
sider terms with free variables. To type a term, we must first type 
its subterms, and in particular in the body of an abstraction its 
bound variable may appear free. 


A context associates variables with types. We let IT. and A range 
over contexts. We write © for the empty context, and Tr , x 8 
A for the context that extends I by associating variable x with 
type A. For example, 


° & , "st S*N> CN Al SN 


is the context that associates variable "s" with type ~N > “N, 
and variable "z" with type ~N. 


Contexts are formalised as follows: 
infixl5 —, 3. 


data Context : Set where 
@ : Context 
, 8: Context - Id - Type > Context 


Exercise Context-—= (practice) 


Show that Context is isomorphic to List (Id x Type). For 
instance, the isomorphism relates the context 


'%) F Won 8 ~N > ~N r WoW 8 ~N 


-- Your code goes here 


Lookup judgment 


We have two forms of judgment. The first is written 
TDxéaAa 


and indicates in context I that variable x has type A. It is 
called lookup. For example, 


e 7) 7 Wo 8 N > ~N WoW 8 N =) WoW 8 N 
° 4) , Won 8 N > N : WoW 8 ~N > "sy" 8 ~N > 
~N 


give us the types associated with variables "z" and "s", re- 
spectively. The symbol 3 (pronounced “ni”, for “in” backwards) 
is chosen because checking that T 3 x 8 A is analogous to 
checking whether x 3 A appears in a list corresponding to I. 


If two variables in a context have the same name, then lookup 
should return the most recently bound variable, which shadows 
the other variables. For example, 


e 7) ; Wy" 8 ~N > ~N ; Wo" 8 ~N =) Wo" 8 ~N, 
Here "x" 8 ~N => *N is shadowed by "x" 8 *N. 


infix 4 538. 
data 3 8 : Context - Id - Type > Set where 


Z:V {0 x A} 


The constructors Z and S correspond roughly to the construc- 
tors here and there for the element-of relation _€_ on lists. 
Constructor S takes an additional parameter, which ensures that 
when we look up a variable that it is not shadowed by another 
variable with the same name to its left in the list. 


It can be rather tedious to use the S constructor, as you have to 
provide proofs that x # y each time. For example: 


“N mye 8 *N : na 8 *N 3 ual 2 *N eis *N 
Instead, we’ll use a “smart constructor”, which uses proof by re- 
flection to check the inequality while type checking: 


S’ : V {fF x y A B} 
> {x#y : False (x = 


Ix 
< 
— 
we 


S’ {x#y = x#y} x = S (toWitnessFalse x#y) x 


Typing judgment 
The second judgment is written 
TrTEM8A 


and indicates in context T that term M has type A. Context I 
provides types for all the free variables in M. For example: 


~N 
e , Wo 8 N > ~N , wow 8 N K Won 
WoW 8 N 
e 7) > WoW 7 N > ~N ; WoW ° N KF Won ( 
Won m7") 8 N 
e '%) r Won 8 N > N KF WN WoW => Wo ( Wo 
= m7") 8 ~N > 
é (4) = WN Wow => WN WoW => Wow ( Wo 
"z") 8 (N3°N) > °N3°N 


infix 4 Fe. 


data + 8 _: Context - Term = Type > Set where 


== N-Ta 


>FEM8 ‘N 


-- N-E 

tease : V {fF LM x N A} 
>FRELs8  ‘N 
>FEM8A 

>~F ,x8 NENSA 


Each type rule is named after the constructor for the correspond- 
ing term. 


Most of the rules have a second name, derived from a convention 
in logic, whereby the rule is named after the type connective that 
it concerns; rules to introduce and to eliminate each connective 
are labeled -I and -E, respectively. As we read the rules from 
top to bottom, introduction and elimination rules do what they 
say on the tin: the first introduces a formula for the connective, 
which appears in the conclusion but not in the premises; while 
the second eliminates a formula for the connective, which appears 
in a premise but not in the conclusion. An introduction rule de- 
scribes how to construct a value of the type (abstractions yield 
functions, successor and zero yield naturals), while an elimina- 
tion rule describes how to deconstruct a value of the given type 
(applications use functions, case expressions use naturals). 


Note also the three places (in FA, Fcase, and Fy) where the 
context is extended with x and an appropriate type, correspond- 
ing to the three places where a bound variable is introduced. 


The rules are deterministic, in that at most one rule applies to ev- 
ery term. 


Example type derivations 


Type derivations correspond to trees. In informal notation, here 
is a type derivation for the Church numeral two, 


2s 
Dz 
— Fk. 
a = = 
Ds T2 "S"SsAPA 
Ta Sot 8K 
= 
T2 b s"SA>A 1 aaa ie ule a 
To F Wo" (7 "3g" z") SA 
: = LA 
T4 EFA" Sd Wo" ( Wo" z") S APA 
KA 
TE WN Wow > WN WoW > > Wom, (- Wow. Woy 8 (A 
>A) PAPA 
where 3s and >z abbreviate the two derivations, 
---------------- 2% 
s" ~ "yg" T D("s"SA> A 
~- ~ -- -- S 
Z 
T2 =) WoW 8 A > A T2 =) wo s 
A 


and where T1 = I, "Ss" 8 A> AandT2 =I, "S"8A 


> A, "z" 8 A. The typing derivation is valid for any IT and 
A, for instance, we might take T tobe @ and Atobe “N. 


Ch : Type - Type 
ChA=(A=A)2=A2A 


Htwoc : V {Ff A} > F &F twoc 8 ChA 

HtwoS = FX (KX (KF 39S: (F 39S + F 9z))) 
where 
95S 25" °Z 
a7 = Z 


Htwo : V {[} > F &F two 8 “N 
Ktwo = FSuc (Suc Fzero) 


Hplus : V {[} >F F plus 8 “N= ‘N= ‘N 
Hplus = Hu (KA (FX (FKcase (F* 3m) (F° Sn) 
(Ksuc (KY 3+ + FY 3m’ + FY 35n’))))) 


where 

a+ = 5 (S" (S" Z)) 
Sn = 5° Z 

In =Z 

Sm’ = Z 

an° = 8° Z 


+2+2 : @+t plus : two : two 8 ‘N 
-2+2 = -Eplus : Ftwo - Ftwo 


In contrast to our earlier examples, here we have typed two and 
plus in an arbitrary context rather than the empty context; this 
makes it easy to use them inside other binding contexts as well 
as at the top level. Here the two lookup judgments >m and 3m’ 
refer to two different bindings of variables named "m". In con- 
trast, the two judgments 3n and 3n’ both refer to the same 
binding of "n" but accessed in different contexts, the first where 
"n" is the last binding in the context, and the second after "m" 
is bound in the successor branch of the case. 


Hpluss : V {f A} >f F pluss 8 ChA=>ChAS=ChA 

Hplus® = KX (FX (FA (FX (FF Sm: F 39S: (FF Sn: F 39S + F 3z))))) 
where 
3m = 
3n = 


a 
Zz 


3s 
32 


Fsucc : V {fT} =F & sucs 8 “N= N 
Fsuc® = FX (Fsuc (F° 93n)) 
where 
an = Z 
H2+2° : @t plus® + twoc + twoc - succ : “zero 3 ‘N 
H2+2° = Eplus® + Etwoc « Etwo*c : FSuc*c « Fzero 


Interaction with Agda 


Construction of a type derivation may be done interactively. 
Start with the declaration: 


Fsuct : OF suc 8 *N > CN 
Fsuc® = ? 


Typing C-c C-l causes Agda to create a hole and tell us its ex- 
pected type: 


Fsuc® = { }0 
270 : OF suc 8 “NB CN 


Now we fill in the hole by typing C-c C-r. Agda observes that the 
outermost term in suc‘ is A, which is typed using FA. The FA 
rule in turn takes one argument, which Agda leaves as a hole: 


Fsuct = FA { }1 
21:0, "n" 8 *NE ‘suc > "n" 8 °N 


We can fill in the hole by typing C-c C-r again: 


Ksuct = FA (Fsuc { }2) 
22:0, "nn" 8*NE* "nN" 8 oN 


And again: 


Fsuct = FA (Fsuc (FF { }3)) 
23: GO, "n" § *ND "n" 8 oN 


A further attempt with C-c C-r yields the message: 


Don't know which constructor to introduce of Z 
ors 


We can fill in z by hand. If we type C-c C-space, Agda will con- 
firm we are done: 


Ksuct = FA (Ksuc (F* Z)) 


The entire process can be automated using Agsy, invoked with C- 
c C-a. 


Chapter Inference will show how to use Agda to compute type 
derivations directly. 


Lookup is functional 


3-functional : V {—f x AB} -T 95 
3-functional Z Z 
3-functional Z ( 
3-functional (S x# _) Z 
3-functional (S _ 3x) ( 


sSA-FT3xsB-A=B 
refl 

l-elim (x# refl) 
l-elim (x# refl) 
3-functional 3x 3x’ 


tou iw oi x 


S 93x’) 


S x# ) 
The typing relation T - M 8 A is not functional. For example, 
in any ['theterm A "x" > ~ "x" has type A => A for any 
type A. 


Non-examples 


We can also show that terms are not typeable. For example, here 
is a formal proof that it is not possible to type the term ~ zero 

‘suc * zero. It cannot be typed, because doing so requires 
that the first term in the application is both a natural and a func- 
tion: 


nope: : V {A} +> = (@ F “zero : “suc “zero 8 A) 
nope: (() : _) 


As a second example, here is a formal proof that it is not possible 
to type A "x" > * "x" - > "x", Jt cannot be typed, be- 
cause doing so requires types Aand Bsuchthat A > B = A: 


nopez : V {A} = 73 (@ FX "x" =~ "x" + > "x" 8 A) 

nope2 (KX (KF 3x + F 3x’)) = contradiction (3-functional 3x 3x’) 
where 
contradiction : V {A B} > - (A =B =A) 
contradiction () 


Quiz 


For each of the following, give a type A for which it is derivable, 
or explain why there is no such A. 


1.0 F "Wy" 8 ~N > ~N : Wy" 8 ~N Fk > my" 


Wy 8 A 

2 (7) - my" 3 N > N ? Wy" 8 N KF Wy" 
myn oA. 

3.6 7 my" 8 ~N > ~N KF WN Wy => > my" Ps = Wo" 
8 A 


For each of the following, give types A, B, and c for which it is 
derivable, or explain why there are no such types. 


1.0 , Wy" 8 A kK = Wo. : Wo" 8 B 
2.6 7 Wem SA "yn" SBE WN A aL (> 
"yn" . "oN) ae 


Exercise mul (recommended) 


Using the term mul you defined earlier, write out the derivation 
showing that it is well typed. 


-- Your code goes here 


Exercise mul‘ (practice) 


Using the term mul‘ you defined earlier, write out the deriva- 
tion showing that it is well typed. 


-- Your code goes here 


Unicode 


This chapter uses the following unicode: 


=> U+21D2 RIGHTWARDS DOUBLE ARROW (\=>) 

A U+019B LATIN SMALL LETTER LAMBDA WITH STROKE 
(\G1-) 

U+00B7 MIDDLE DOT (\cdot) 

U+225F QUESTIONED EQUAL TO (\?=) 

U+2014 EM DASH (\em) 

—> U+21A0 RIGHTWARDS TWO HEADED ARROW (\rr-) 

—€ U+03BE GREEK SMALL LETTER XI (\Gx or \xi) 

B U+03B2 GREEK SMALL LETTER BETA (\Gb or 
\beta) 
ae 

\ 

x 


Il~ 


U+0393 GREEK CAPITAL LETTER GAMMA (\GG or 
Gamma) 
U+2260 NOT EQUAL TO (\=n or \ne) 
> U+220B CONTAINS AS MEMBER (\ni) 
O@ U+2205 EMPTY SET (\0) 
F U+22A2 RIGHT TACK (\vdash or \|-) 
8 U+2982 2% NOTATION TYPE COLON (\:) 
@ vU+iF607 SMILING FACE WITH HALO 
@® v+1F608 SMILING FACE WITH HORNS 


We compose reduction —- from an em dash — and an arrow -. 
Similarly for reflexive and transitive closure ——>. 


We start with an easy observation. Values do not reduce: As a 
corollary, terms that reduce are not values: Well-typed values 
must take one of a small number of canonical forms, which pro- 
vide an analogue of the Value relation that relates values to 
their types. A lambda expression must have a function type, and 
a zero or successor expression must be a natural. Further, the 
body of a function must be well typed in a context containing 
only its bound variable, and the argument of successor must it- 
self be canonical: To formulate this property, we first introduce a 
relation that captures what it means for a term M to make 
progress: If a term is well typed in the empty context then it sat- 
isfies progress: Instead of defining a data type for Progress M, 
we could have formulated progress using disjunction and existen- 
tials: Combine progress and —>~V to write a program that de- 
cides whether a well-typed term is a value: for lambda expres- 
sions, and similarly for case and fixpoint. To deal with this situa- 
tion, we first prove a lemma showing that if one context maps to 
another, this is still true after adding the same variable to both 
contexts: With the extension lemma under our belts, it is straight- 
forward to prove renaming preserves types: First, a closed term 
can be weakened to any context: Second, if the last two variables 
in a context are equal then we can drop the shadowed one: 
Third, if the last two variables in a context differ then we can 
swap them: Here is the formal statement and proof that substitu- 
tion preserves types: Some terms may reduce forever. Here is a 
simple example: By analogy, we will use the name gas for the pa- 
rameter which puts a bound on the number of reduction steps. 
Gas is specified by a natural number:When our evaluator returns 
a term N, it will either give evidence that N is a value or indi- 
cate that it ran out of gas:Given a term L of type A, the evalua- 
tor will, for some N, return a reduction sequence from L to N 
and an indication of whether reduction finished:The evaluator 
takes gas and evidence that a term is well typed, and returns the 
corresponding steps: We can now use Agda to compute the non- 
terminating reduction sequence given earlier. First, we show that 
the term sucy is well typed:To show the first three steps of the 
infinite reduction sequence, we evaluate with three steps worth 
of gas:Similarly, we can use Agda to compute the reduction se- 
quences given in the previous chapter. We start with the Church 


numeral two applied to successor and zero. Supplying 100 steps 
of gas is more than enough: Next, we show two plus two is four: 
Similarly, we can evaluate the corresponding term for Church 
numerals: A term is normal if it cannot reduce:A term is stuck if it 
is normal yet not a value:Using progress, it is easy to show that 
no well-typed term is stuck:Using preservation, it is easy to show 
that after any number of steps, a well-typed term remains well 
typed:An easy consequence is that starting from a well-typed 
term, taking any number of reduction steps leads to a term that 
is not stuck: Our proof will need a variant of congruence to deal 
with functions of four arguments (to deal with 
case_[zero>_|suc_>_]). It is exactly analogous to cong 
and congz2 as defined previously:It is now straightforward to 
show that reduction is deterministic: 


Properties: Progress and Preservation 


module plfa.part2.Properties where 


This chapter covers properties of the simply-typed lambda calcu- 
lus, as introduced in the previous chapter. The most important of 
these properties are progress and preservation. We introduce 
these below, and show how to combine them to get Agda to com- 
pute reduction sequences for us. 


Imports 


open import Relation.Binary.PropositionalEquality 
using (=; #,; refl; sym; cong; congz) 

open import Data.String using (String; = ) 

open import Data.Nat using (N; zero; suc) 

open import Data.Empty using (1; L-elim) 

open import Data.Product 
using (_x ; proji; proj2; 4; d-syntax) 


renaming (_,_ to (_,_)) 
open import Data.Sum using ( WU ; inji; injz) 
open import Relation.Nullary using (-_; Dec; yes; no) 
open import Function using ( ° ) 


open import plfa.part1.Isomorphism 
open import plfa.part2.Lambda 


Introduction 


The last chapter introduced simply-typed lambda calculus, in- 
cluding the notions of closed terms, terms that are values, reduc- 
ing one term to another, and well-typed terms. 


Ultimately, we would like to show that we can keep reducing a 
term until we reach a value. For instance, in the last chapter we 
showed that two plus two is four, 


plus + two + two -—~ ‘suc ‘suc “suc ‘suc *zero 


which was proved by a long chain of reductions, ending in the 
value on the right. Every term in the chain had the same type, 
~N. We also saw a second, similar example involving Church nu- 
merals. 


What we might expect is that every term is either a value or can 
take a reduction step. As we will see, this property does not hold 
for every term, but it does hold for every closed, well-typed term. 


Progress: If @ / M 8 Athen either M is a value or there is an N 
such that M —> N. 


So, either we have a value, and we are done, or we can take a re- 
duction step. In the latter case, we would like to apply progress 
again. But to do so we need to know that the term yielded by the 
reduction is itself closed and well typed. It turns out that this 
property holds whenever we start with a closed, well-typed term. 


Preservation: If @ KF M8 Aand M — Nthen O@ FN 8 A. 


This gives us a recipe for automating evaluation. Start with a 
closed and well-typed term. By progress, it is either a value, in 
which case we are done, or it reduces to some other term. By 
preservation, that other term will itself be closed and well typed. 
Repeat. We will either loop forever, in which case evaluation 
does not terminate, or we will eventually reach a value, which is 
guaranteed to be closed and of the same type as the original 
term. We will turn this recipe into Agda code that can compute 
for us the reduction sequence of plus - two - two, and its 


Church numeral variant. 


(The development in this chapter was inspired by the corre- 
sponding development in Software Foundations, Volume Program- 
ming Language Foundations, Chapter StlcProp. It will turn out that 
one of our technical choices — to introduce an explicit judgment 
Tr D> x 8 A in place of treating a context as a function from 
identifiers to types — permits a simpler development. In particu- 
lar, we can prove substitution preserves types without needing to 
develop a_ separate inductive definition oof the 
appears_free_in relation.) 


Values do not reduce 


V-— : V {M N} 
~ Value M 


Vu— V-X () 
\V-— \V-zero () 
V-— (V-suc VM) (&-suc M-N) = V-— VM M-N 


We consider the three possibilities for values: 
* If it is an abstraction then no reduction applies 
* If it is zero then no reduction applies 


* If it is a successor then rule £-suc may apply, but in that 
case the successor is itself of a value that reduces, which 
by induction cannot occur. 


~ = Value M 
—-V M—-N VM = V-— VM M—-N 


If we expand out the negations, we have 


vo : V {MN} - Value M+>M—+>NSL 
—31V : V {MN} > M—N > Value M > L 


which are the same function with the arguments swapped. 


Exercise Canonical-= (practice) 


infix 4 Canonical 8_ 
data Canonical 8 : Term > Type > Set where 
C-X : V {x A N B} 


-@,xX8sAEFN8B 


Canonical “zero $ “N 
C-suc : V {V} 
~ Canonical V 3 “N 


~ Canonical ‘suc V 8 “N 


Show that Canonical V 8 Ais isomorphic to (O F V 8 A) 
x (Value V), that is, the canonical forms are exactly the well- 
typed values. 


-- Your code goes here 


Progress 


We would like to show that every term is either a value or takes 
a reduction step. However, this is not true in general. The term 


“zero + ~suc “zero 


is neither a value nor can take a reduction step. And if "s" 8 
~N => ~N then the term 


"s" + “zero 


cannot reduce because we do not know which function is bound 
to the free variable "s". The first of these terms is ill typed, and 


the second has a free variable. Every term that is well typed and 
closed has the desired property. 


Progress: If @ fF M 8 Athen either M is a value or there is an N 
such that M — N. 


data Progress (M : Term) : Set where 


step : V {N} 
~M—N 


- Progress M 


done : 
Value M 


- Progress M 


A term M makes progress if either it can take a step, meaning 
there exists a term N such that M — N, or if it is done, mean- 
ing that M is a value. 


progress : V {M A} 
~@Z@EMBA 
- Progress M 
progress (+ ()) 


progress (FX EN) = done V-X 
progress (HL + HM) with progress HL 
... | step L—-L’ = step (E-+1 L—-L’) 
| done V-X with progress FM 
| step M—M’ = step (E-:2 V-K M—M’) 
. | done VM = step (B-X% VM) 
progress #zero = done V-zero 


progress (FSuc HM) with progress MM 


| step M—M’ = step (&-suc M—M’) 
| done VM = done (V-suc VM) 
progress (Hcase HL HM EN) with progress HL 
... | step L—-L’ = step (&-case L—L’ ) 
| done (V-zero) = step B-zero 
... | done (V-suc VL) = step (B-suc VL) 
progress (Hu EM) = step B-u 


We induct on the evidence that the term is well typed. Let’s un- 


pack the first three cases: 


* The term cannot be a variable, since no variable is well 
typed in the empty context. 


¢ If the term is a lambda abstraction then it is a value. 


- If the term is an application L - M, recursively apply 
progress to the derivation that L is well typed: 


© If the term steps, we have evidence that L — L’, 
which by &--1 means that our original term steps to 
L’ -M 


© If the term is done, we have evidence that L is a 
value, which must be a lambda abstraction. Recur- 
sively apply progress to the derivation that M is well 
typed: 


M@ If the term steps, we have evidence that M —— 
M', which by €--2 means that our original 
term stepsto L - M’. Step &€--2 applies only 
if we have evidence that L is a value, but 
progress on that subterm has already supplied 
the required evidence. 


@ If the term is done, we have evidence that M is 
a value, so our original term steps by B-A. 


The remaining cases are similar. If by induction we havea step 
case we apply a € rule, and if we have a done case then either 
we have a value or apply a 8 rule. For fixpoint, no induction is 
required as the 8 rule applies immediately. 


Our code reads neatly in part because we consider the step op- 
tion before the done option. We could, of course, do it the other 
way around, but then the ... abbreviation no longer works, 
and we will need to write out all the arguments in full. In gen- 
eral, the rule of thumb is to consider the easy case (here step) 
before the hard case (here done). If you have two hard cases, 
you will have to expand out ... or introduce subsidiary func- 


tions. 


postulate 
progress’ : VM {A} > 2+ M8 A- Value MU 4[ N ](M— N) 


This leads to a less perspicuous proof. Instead of the mnemonic 
done and step we use inji and injz2, and the term N is no 
longer implicit and so must be written out in full. In the case for 
B-A this requires that we match against the lambda expression L 
to determine its bound variable and body, A x => N, so we can 
show that L - Mreducesto N [ x :=M ]. 


Exercise Progress—= (practice) 


Show that Progress Mis isomorphic to Value M WU 3[ N ] 
(M — N). 


-- Your code goes here 


Exercise progress’ (practice) 


Write out the proof of progress’ in full, and compare it to the 
proof of progress above. 


-- Your code goes here 
Exercise value? (practice) 


postulate 
value? : V {AM} > @+M 8 A = Dec (Value M) 


Prelude to preservation 


The other property we wish to prove, preservation of typing un- 
der reduction, turns out to require considerably more work. The 
proof has three key steps. 


The first step is to show that types are preserved by renaming. 


Renaming: Let IT and A be two contexts such that every variable 
that appears in T also appears with the same type in A. Then if 
any term is typeable under TI, it has the same type under A. 


In symbols: 
VY {x A} ~-TDx#®A + ADXEA 


V {MA} >TFM8A +> AFMSA 


Three important corollaries follow. The weaken lemma asserts 
that a term which is well typed in the empty context is also well 
typed in an arbitrary context. The drop lemma asserts that a term 
which is well typed in a context where the same variable appears 
twice remains well typed if we drop the shadowed occurrence. 
The swap lemma asserts that a term which is well typed in a con- 
text remains well typed if we swap two variables. 


(Renaming is similar to the context invariance lemma in Software 
Foundations, but it does not require the definition of 
appears_free_innorthe free_in_context lemma.) 


The second step is to show that types are preserved by substitu- 
tion. 


Substitution: Say we have a closed term v of type A, and under 
the assumption that x has type A the term N has type B. Then 
substituting V for x in N yields a term that also has type B. 


In symbols: 


The result does not depend on v being a value, but it does re- 
quire that v be closed; recall that we restricted our attention to 
substitution by closed terms in order to avoid the need to rename 
bound variables. The term into which we are substituting is 
typed in an arbitrary context I, extended by the variable x for 


which we are substituting; and the result term is typed in I. 


The lemma establishes that substitution composes well with typ- 
ing: typing the components separately guarantees that the result 
of combining them is also well typed. 


The third step is to show preservation. 
Preservation: If @  M 8 Aand M — Nthen O@ TN 8 A. 


The proof is by induction over the possible reductions, and the 
substitution lemma is crucial in showing that each of the 8 rules 
that uses substitution preserves types. 


We now proceed with our three-step programme. 
Renaming 


We often need to “rebase” a type derivation, replacing a deriva- 
tion T - M 8 A bya related derivation A - M 8 A. We may 
do so as long as every variable that appears in I also appears in 
A, and with the same type. 


Three of the rules for typing (lambda abstraction, case on natu- 
rals, and fixpoint) have hypotheses that extend the context to in- 
clude a bound variable. In each of these rules, I appears in the 
conclusion and [ , x 8 A appears ina hypothesis. Thus: 


T, x8AEFN8B 


FA 
TkeAx>N8A>B 
ext : V {f A} 
> (V {x A} = ra3axsA- A3x 8A) 
> (V {x yAB} Or, yy? B3xsA7A,y8B3x 8 A) 
ext p Z = Z 
ext p (S x#y 3x) = S x#y (p 3x) 


Let po be the name of the map that takes evidence that x ap- 
pears in I to evidence that x appears in A. The proof is by case 
analysis of the evidence that x appears in the extended context 


- If x is the same as y, we used Z to access the last vari- 
able in the extended TI; and can similarly use Z to access 
the last variable in the extended A. 


If x differs from y, then we used S to skip over the last 


variable in the extended IT, where x#y is evidence that x 
and y differ, and >x is the evidence that x appears in TI; 
and we can similarly use S to skip over the last variable in 
the extended A, applying p to find the evidence that x 


appears in A. 


rename : 


Vv {0 A} 
~ (V {x A} - Ff 3 x 


> (V {MA} >TEM 


rename 
rename 
rename 
rename 
rename 
rename 


rename 


p 
p 
p 
p 
p 
p 


p 


Fk 2w) 


F-zero 


(KSsuc EM) 


(Kcase EL EM 


(Fu HM) 


F* (p 3w) 
FAX (rename (ext p) EN) 
(rename p FL) : (rename p EM) 
zero 
Fsuc (rename p FM) 
EN) 
-case (rename p FL) (rename p HM) (rename (ex 
Hu (rename (ext p) HM) 


As before, let be the name of the map that takes evidence that 
x appears in T to evidence that x appears in A. We induct on 
the evidence that M is well typed in I. Let’s unpack the first 
three cases: 


* If the term is a variable, then applying p to the evidence 
that the variable appears in I yields the corresponding ev- 
idence that the variable appears in A. 


* If the term is a lambda abstraction, use the previous lemma 
to extend the map op suitably and use induction to rename 
the body of the abstraction. 


* If the term is an application, use induction to rename both 
the function and the argument. 


The remaining cases are similar, using induction for each sub- 
term, and extending the map whenever the construct introduces 
a bound variable. 


The induction is over the derivation that the term is well typed, 
so extending the context doesn’t invalidate the inductive hypoth- 
esis. Equivalently, the recursion terminates because the second 
argument always grows smaller, even though the first argument 
sometimes grows larger. 


We have three important corollaries, each proved by construct- 
ing a suitable map between contexts. 


weaken : V {f M A} 
>~@EMBA 


->TEM8A 
weaken {[} HM = rename p HM 
where 


Here the map 0 is trivial, since there are no possible arguments 
in the empty context ©. 


-— ,xsBFEM8C 


where 


l-elim (x#x refl) 
S zZ#X 32Z 


4 
x< 
0° 
ive] 
WwW 
N 
0° 

nou ba 


) 
S  932)) 


Here map op can never be invoked on the inner occurrence of x 


since it is masked by the outer occurrence. Skipping over the x 
in the first position can only happen if the variable looked for 
differs from x (the evidence for which is x#x or z#x) but if the 
variable is found in the second position, which also contains x, 
this leads to a contradiction (evidenced by x#x ref1). 


swap : V {fT x yMAB C} 


-F ,xsA,ysBEMSBC 
swap {f} {x} {y} {M} {A} {B} {C} x#y FM = rename p FM 
where 


-F ,xsA,ysBIzsC 
pZ = S x#y Z 
p (S z#x Z) =. 7 
p (S z#x (S z#y 3z)) = S z#y (S z#x 32z) 


Here the renaming map takes a variable at the end into a vari- 
able one from the end, and vice versa. The first line is responsi- 
ble for moving x from a position at the end to a position one 
from the end with y at the end, and requires the provided evi- 
dence that x # y. 


Substitution 


The key to preservation — and the trickiest bit of the proof — is 
the lemma establishing that substitution preserves types. 


Recall that in order to avoid renaming bound variables, substitu- 
tion is restricted to be by closed terms only. This restriction was 
not enforced by our definition of substitution, but it is captured 
by our lemma to assert that substitution preserves typing. 


Our concern is with reducing closed terms, which means that 
when we apply 8 reduction, the term substituted in contains a 
single free variable (the bound variable of the lambda abstrac- 
tion, or similarly for case or fixpoint). However, substitution is 
defined by recursion, and as we descend into terms with bound 


variables the context grows. So for the induction to go through, 
we require an arbitrary context I, as in the statement of the 
lemma. 


V{ 
> @G@EV 8 
xX 8 


>> 


FY {x = x} Z) withx 2+ y 
weaken FV 
eee l-elim (x#y refl) 
subst {x = y} EV (F {x = x} (S x#y 9x)) with x 2 y 
| yes refl il-elim (x#y refl) 
see | RO _ F* 3x 
subst {x = y} EV (FX {x = x} EN) with x 2 y 
| yes refl -X (drop EN) 
... | no x#y -K (subst FV (swap x#y EN)) 
subst EV (HL : EM) (subst FV EL) « (Subst FV EM) 
subst FV Fzero -zero 
subst FV (FSuc EM) FSsuc (Subst FV EM) 
subst {x = y} EV (Hcase {x = x} H_ EM EN) with x 2 y 
| yes refl -Kcase (subst FV HL) (subst FV HM) (drop HN) 
... | no x#y -case (subst FV FL) (subst FV FM) (subst FV ( 
subst {x = y} EV (Fu {x = x} FM) with x 2 y 
| yes refl Hu (drop EM) 
| no x#y Hu (subst FV (swap x#y FM)) 


We induct on the evidence that N is well typed in the context T 
extended by x. 


First, we note a wee issue with naming. In the lemma statement, 
the variable x is an implicit parameter for the variable substi- 
tuted, while in the type rules for variables, abstractions, cases, 
and fixpoints, the variable x is an implicit parameter for the rel- 
evant variable. We are going to need to get hold of both vari- 
ables, so we use the syntax {x = y} to bind y to the substi- 
tuted variable and the syntax {x = x} to bind x to the rele- 
vant variable in the patterns for F*, FA, HKcase, and Fn. Us- 
ing the name y here is consistent with the naming in the origi- 
nal definition of substitution in the previous chapter. The proof 
never mentions the types of x, y, V, or N, so in what follows 
we choose type names as convenient. 


Now that naming is resolved, let’s unpack the first three cases: 
* In the variable case, we must show: 


OV 3B 
T, y®BEFE* x8A 


TF x [Ty :=V]8A 
where the second hypothesis follows from: 
T, y® BBDxeea 


There are two subcases, depending on the evidence for this 
judgment: 


© The lookup judgment is evidenced by rule 2: 


In this case, x and y are necessarily identical, as 
are A and B. Nonetheless, we must evaluate x = y 
in order to allow the definition of substitution to 


simplify: 


M@ If the variables are equal, then after simplifica- 
tion we must show: 


which follows by weakening. 


M@ If the variables are unequal we have a contra- 
diction. 


© The lookup judgment is evidenced by rule s: 
ny: 
x 


x £# 
TD $s A 


In this case, x and y are necessarily distinct. None- 
theless, we must again evaluate x + y in order to 
allow the definition of substitution to simplify: 


M@ If the variables are equal we have a contradic- 
tion. 


M@ If the variables are unequal, then after simpli- 
fication we must show: 


OtvesB 
x Zy 
TDxéa 


TF x 8A 
which follows by the typing rule for variables. 
* In the abstraction case, we must show: 


OtvesB 
T, y§8BrE (Ax>N) 8ARC 


TF (Ax >N) [y:=V]8A>C 


where the second hypothesis follows from: 
1 op oyee Bs oe By RUN 


We evaluate x = y in order to allow the definition of sub- 
stitution to simplify: 


© If the variables are equal then after simplification we 
must show: 


From the drop lemma we know: 


T, x8B, x8AFN8C 


The typing rule for abstractions then yields the re- 
quired conclusion. 


© If the variables are distinct then after simplification 
we must show: 


OrvesB 
x #y 
Dy. 4 8 Bey ee ee 


TrEAx> (N[Ey:=V]) 8A>C 


From the swap lemma we know: 


XUESY 
r,y 


r, x8A,y8BENS8C 


00 
Ww 
™* 
00 
QD 
T 
Zz 
00 


C 


The inductive hypothesis gives us: 


The typing rule for abstractions then yields the re- 
quired conclusion. 


* In the application case, we must show: 


O@krvec 
Tr, yscrFL:+M8B 


where the second hypothesis follows from the two judg- 


ments: 
T, ys8CrFLSA>B 
T, ys CFM8A 


By the definition of substitution, we must show: 


OGtvec 

Tr,yscrFL8A>B 
Tr,yscrM8a 

TF (L [y :=V]) +: (M[y:=V]) 8B 


Applying the induction hypothesis for L and M and the 
typing rule for applications yields the required conclusion. 


The remaining cases are similar, using induction for each sub- 
term. Where the construct introduces a bound variable we need 
to compare it with the substituted variable, applying the drop 
lemma if they are equal and the swap lemma if they are distinct. 


For Agda it makes a difference whether we write x = yor y = 
x. In an interactive proof, Agda will show which residual with 
clauses in the definition of _[{_:=_] need to be simplified, and 
the with clauses in subst need to match these exactly. The 
guideline is that Agda knows nothing about symmetry or com- 
mutativity, which require invoking appropriate lemmas, so it is 
important to think about order of arguments and to be consis- 
tent. 


Exercise subst’ (stretch) 


Rewrite subst to work with the modified definition _[_:=_]' 
from the exercise in the previous chapter. As before, this should 
factor dealing with bound variables into a single function, de- 
fined by mutual recursion with the proof that substitution pre- 
serves types. 


-- Your code goes here 


Preservation 


Once we have shown that substitution preserves types, showing 
that reduction preserves types is straightforward: 


preserve : V {MN A} 


> @EMBA 

-~M—N 

> @ENCSA 
preserve (F° ()) 
preserve (FA EN) () 
preserve (FL : FM) (E-+1 LL’) = (preserve FL L- 
preserve (FL : EM) (E-:2 VL MM’) = FEL - (preserve 
preserve ((FA EN) « FV) (B-X VV) = subst FV HN 
preserve zero () 
preserve (FSuc HM) (E-suc M—M’ ) = suc (preserve 
preserve (Hcase EL HM HN) (E-case L—L’) = tcase (preserve 
preserve (case Fzero FM EN) (B-zero) = KM 
preserve (Fcase (FSuc FV) HM EN) (B-suc VW) = subst EV HN 
preserve (Hy EM) (B-y) = subst (Hu HM) + 


The proof never mentions the types of M or N, so in what fol- 
lows we choose type name as convenient. 


Let’s unpack the cases for two of the reduction rules: 


* Rule &--1. We have 


where the left-hand side is typed by 


iP eG 
T FM 


By induction, we have 


TFLsA>B 


L— L’ 


TEFL’ 8A>B 


from which the typing of the right-hand side follows imme- 
diately. 


Rule g-A. We have 


Value V 


(Ax >N) > V—-ON[E x :=V ] 
where the left-hand side is typed by 


T, x8AEFN8&B 


TEFAx>NSAZ>B TEVS8A 


TE (Ax > N) -V8B 


By the substitution lemma, we have 


TEFVe8A 
T, x8AEFN8&B 
TEN [x :=V] 8B 


from which the typing of the right-hand side follows imme- 
diately. 


The remaining cases are similar. Each € rule follows by induc- 
tion, and each 8 rule follows by the substitution lemma. 


Evaluation 


By repeated application of progress and preservation, we can 
evaluate any well-typed term. In this section, we will present an 
Agda function that computes the reduction sequence from any 
given closed, well-typed term to its value, if it has one. 


such = ww "xX" = “suc (> "x") 


begin 


SUCH 
—+{ B= } 
“suc sucu 


—( §-suc B-y ) 
“suc “suc SUuCU 

= e-slie (E-s0C B+) ) 
“suc “Suc “Suc suCcU 


Since every Agda computation must terminate, we cannot simply 
ask Agda to reduce a term to a value. Instead, we will provide a 
natural number to Agda, and permit it to stop short of a value if 
the term requires more than the given number of reduction steps. 


A similar issue arises with cryptocurrencies. Systems which use 
smart contracts require the miners that maintain the blockchain 
to evaluate the program which embodies the contract. For in- 
stance, validating a transaction on Ethereum may require execut- 
ing a program for the Ethereum Virtual Machine (EVM). A long- 
running or non-terminating program might cause the miner to in- 
vest arbitrary effort in validating a contract for little or no re- 
turn. To avoid this situation, each transaction is accompanied by 
an amount of gas available for computation. Each step executed 
on the EVM is charged an advertised amount of gas, and the 
transaction pays for the gas at a published rate: a given number 
of Ethers (the currency of Ethereum) per unit of gas. 


record Gas : Set where 
constructor gas 
field 
amount : N 


data Finished (N : Term) : Set where 


~ Finished N 


out-of-gas : 


Finished N 


data Steps (L : Term) : Set where 


steps : V {N} 
>~L—oN 
~ Finished N 


> Steps L 
eval {L} (gas zero) EL 
eval {L} (gas (suc m)) HL with progress HL 


steps (L #) out-of- 


| done VL = steps (L #) (done \ 
| step {M} L—M with eval (gas m) (preserve FL L—M) 
| steps MN fin = steps (L —( L—» ) 


Let L be the name of the term we are reducing, and FL be the 
evidence that L is well typed. We consider the amount of gas re- 
maining. There are two possibilities: 


* It is zero, so we stop early. We return the trivial reduction 
sequence L —~ L and an indication that we are out of 
gas. 


* It is non-zero and after the next step we have m gas re- 
maining. Apply progress to the evidence that term L is 
well typed. There are two possibilities: 


O Term L is a value, so we are done. We return the 
trivial reduction sequence L —~ L and the evi- 
dence that L is a value. 


© Term L steps to another term M. Preservation pro- 
vides evidence that ™ is also well typed, and we re- 
cursively invoke eval on the remaining gas. The re- 


sult is evidence that M —— N and indication of 
whether reduction finished. We combine the evi- 
dence that L —+ Mand M —— N to return evidence 
that L —— N and the indication of whether reduc- 
tion finished. 


Examples 


Fsucy : @F yu "x" > “suc > "x" 8 N 
FSsucu = FU (SUC (F 3x)) 

where 

3x =Z 


: eval (gas 3) Fsucu = 
steps 
(u "x" = “suc * "x" 
—+( Ba) 
“suc (u. "x" = “suc. ~ "x") 
—( €-suc B-y } 
“suc (“suc (uw "x" = “suc * "x")) 
—( €-Suc (G-suc B-{)) ) 
“suc (‘suc (suc (u "x" = “suc ~ "x"))) 
B) 
out-of -gas 
_ =refl 


: eval (gas 100) (Ftwoc - FSuc* + Fzero) 
steps 
((AX "Ss" = (K "Zz" > * Ms" (o Meh eS MZ"))) © (KX "nN" = “suc > "r 
“zero 
=9( €='a (B= VA) ) 
(A "2" = (A "n" = “suc ~ "n") = ((A "nm" = “suc ~ “n") = [ "2Z")) 
“zero 
—( B-X V-zero ) 
(X "n" = “suc ~ "n") + ((X "n" = “suc ~ "n") + *“zero) 
—( E-+2 V-X (B-X V-zero) ) 
(X "n" = “suc ~ "n") + “suc “zero 
—( B-X (V-suc V-zero) ) 
“suc (suc “zero) 
BH) 
(done (V-suc (V-suc V-zero))) 
_ =refl 


The example above was generated by using C-c C~n to nor- 
malise the left-hand side of the equation and pasting in the result 
as the right-hand side of the equation. The example reduction of 
the previous chapter was derived from this result, reformatting 
and writing two‘ and suc‘ in place of their expansions. 


: eval (gas 100) 2+2 = 
steps 
((y "= 
(A "mt" = 
(An S 
case ~ "m" [zero> ~ "n" |suc "m" = ‘suc (~ "+" + * "m" - 
]))) 
“suc (‘suc ~zero) 
- “suc (‘suc “zero) 
—( >in (€-*2 B=) ) 
(X "m" = 
(X "n" = 
case ~ "m" [zero= ~ "n" |suc "m" = 
“suc 
COE ae" = 
(X "m" = 
(Ans 


case ” a" [zero= = Mieylt | Suc "mM" = “suc (~ Ugly ‘ oe wt! ‘ 


JD) 
Nim 
A * ne) 
])) 
“suc (suc “zero) 
“suc (suc “zero) 
—( &-+1 (B-% (V-suc (V-suc V-zero))) ) 


(x Mit a 
case “suc (‘suc “zero) [zero= ~ "n" |suc "m" = 
“suc 
((u er => 
(x aT Ig => 
(x a i = 
case % Wye [zero= % yt | suc wi => “suc ( e Mage . > il A 
]))) 
~ Lr (a 
3 Tal) 


]) 
“suc (‘suc ~zero) 
—( B-X (V-suc (V-suc V-zero)) ) 
case ‘suc (‘suc “zero) [zero “suc (‘suc “zero) |suc "m" = 
~suc 


((u "+" = 
(X "m" = 
(X "n" = 
case ~ "m" [zero= 
JD) 
“qt 
“suc (*suc “zero)) 


* "nh " 


| suc "Mm" es *suc (~ wy Wess 8 wn" . 


] 
—( B-suc (V-suc V-zero) ) 
“suc 
((u "+" = 
(X "m" = 
(KX "n" = 
case ~ "m" [zero= 
I), 
suc “zero 
- “suc (~suc “zero)) 
—>{ &-suc (&-+1 (§-+1 B-y)) ) 
SUC 
((X "m" = 
(KX "n" = 
case ~ "m" [zero= 
“suc 
((u "+" = 
(xX "m" = 
(X "n" = 
case © "m" [zero= 


1))) 


be "nh “ 


| suc “M" = ‘suc (> wa wm oS Um" 2 


¥ "nh " 


| suc "Mm" as 


© "nh u 


| suc um" = “suc (~ maw . I* "Mm" 


“suc “zero 
“suc (suc “zero)) 
—( &E-suc (E-+1 (B-X (V-suc V-zero))) ) 
“suc 
((X "n" = 
case ‘suc “zero [zero=> 
“suc 
((u "+" = 
(KX "m" = 
(KX "n" = 
case * "m" [zero> ~ 
JD) 
bl 
<u") 


% tin u 


| suc uM" ae 


hh " | suc um" = ‘suc (* nau i & "Mm" ‘ 


}) 


“suc (*suc “zero)) 


—( &-suc (B-X% (V-suc (V-suc V-zero))) ) 
“suc 


case ‘suc “zero [zero ‘suc (‘suc “zero) |suc "m" => 
“suc 
((u per = 
(x "im" => 
(x bat «Va = 
case * a | | Ya [ zero= * a ai | suc bal | a = ‘suc (~ ee ; * the 1 
]))) 
* Mi 
“suc (‘suc ~“zero)) 
] 
—( &-suc (B-suc V-zero) ) 
“suc 
(*suc 
((u aN = 
(x sa Pas aes 
(x a Yi = 
case & Mig [zero= % iit | suc a = “suc (~ ur a 5 » ial A 
JD) 
zero 


“suc (‘suc ~zero))) 
—( §-suc (€-suc (§--1 (€-+1 B-y))) ) 
SUC 
(*suc 
((X "m" = 
(K "n" = 
case © "m" [zero= ~ "n" |suc "m" = 
“suc 
CC EP ee 
(X "m" = 
(X "n" = 
case © "m" [zero> ~ "n" |suc "m" 
DD) 
ii! 
~ unt 
1)) 
zero 
“suc (‘suc ~zero))) 
—( &E-suc (&-suc (E-+1 (B-X V-zero))) ) 
“suc 
(*suc 
((KX "n" = 
case “zero [zero= ~ "n" |suc "m" = 
“suc 
CC 
(KX "m" = 


= ‘suc (~ "+": 


¥ "M" - 


(Ans 
case ~ "mi" [zero= ~ "n” [suc “m" = “suc (° "e" « "mm" « 
JD) 
. "mM" 
a te) 
]) 
- “suc (‘suc “zero))) 
—( &E-suc (&-suc (B-% (V-suc (V-suc V-zero)))) ) 
“suc 
(*suc 
case “zero [zero ‘suc (‘suc “zero) |suc "m" => 
“suc 
CQ Me" = 
(X “m" = 
(KX "n" = 
case * "m" [zero> ~ "n" |suc "m" = ‘suc (~ "+" 5° "m" - 
DD) 
|| a 
- “suc (‘suc “zero)) 
]) 
—( &-suc (&-suc B-zero) ) 
“suc (‘suc (‘suc (‘Suc “zero))) 
B) 
(done (V-suc (V-suc (V-suc (V-Suc V-zero))))) 
_ =refl 


Again, the derivation in the previous chapter was derived by 
editing the above. 


_ : eval (gas 100) F2+2° = 


steps 
(x "m" = 
(KX "n" = 
(Aes se (KR PZ ee a Se ge eg YD) 
BOCK ST sae (ANZ ee GI eC gE es ZY) 
(Ks! (A. MZ" ae OS (gh ae ZN) 
(KX "n" > ‘suc * "n") 
“zero 
—{ Esa (E-+1 (E-+1 (B-X V-X))) ) 
(KX "n" 
(A's Ss 
(AMZ = 


(AMS ee (RO ee” NGO oe (™ Gh RE) a 
Ci ee eS eT) 

(gh se Re) a * gh af Mey * Re) )) 

* (K "n" = “suc ~ "n") 


- “zero 
—{ E-+1 (E-+1 (B-K V-A)) ) 
(x Wer => 
(x se di as 
(x Mem = (x Wo" = » Mem ‘ (¢ ew ; x da )) < * Mgt i 
((Xx i => (x wa = + We" s, (~ lee Fi * 1 ))) é * Mig! 2 » mz y:) 
é (x vA = ‘suc ™ he } 
- “zero 
—( &-+1 (B-A V-X) ) 
(X ww Er 
(x ten => (x a => bs neu é (~ We é * m2) ) é (x My => “suc ~ iT 


((X mer = (x A = * mies A (~ vig A * mo) YY ‘ (X a = ‘suc * 
: 5 m2) ) 
- “zero 
—( B-X V-zero }) 
(x ig ™ an (x Mi da = me Mig A CG Ne A kd gee) ):) . (x a as, ‘Iguc % Wr 


((X "s" = (K "2" = * "gs" - ("st 2 * "Z"))) + (KX "n" = fsuc * " 
: “zero) 
—( &-+1 (B-% V-%) ) 
(K "2" & (K “n" = “sue ~ “nM = CCA “na = “sue * “a™) = fF "2z")) 
CCK St Se (KAP SPS a (CP ge a BY) oe OS sue * * 
: ~zero) 
=o Eo-2 Ven. (E=*a (B-A Ven) ) 7 
(KX "Zz" = (KX "n" = “suc * "n") = ((K "n" = “suc ~*~ "n") = / "z")) 
CK 2" & (On & “sue ~ ne) = (COA "a Ss sue ~ "n”) =p M2" )) 
“zero) 
—( E-+2 V-X (B-X V-zero) ) 
(KX °2" = (K "n" = “sue ~ "n") = ((X “mn” = “suc * “n™) = | “z")) 
((K."n" = “sue ~ “n') = (CA "nn" S “sue * “n") * “zero)) 
—( E-+2 V-XK (E-+2 V-X (B-% V-zero)) ) 
(%. "2" 2 (4 "n" @ “Sue” "n") © (A “nm” = “sue * “a™) = ["2")) 
((X "n" = “suc ~ "n") + “suc *zero) 
—( E-+2 V-X (B-X (V-suc V-zero)) } 
(X "Zz" = (KX "n" = “suc ~ "n") = ((K "n" = “suc ~ "n") = / "z")) 
“suc (suc “zero) 
—( B-X (V-suc (V-suc V-zero)) } 
(KX "n" = “suc ~ "n") + ((X "n" = “suc ~ "n") + “suc (‘suc ~zero) 
—( E-+2 V-X (B-X (V-suc (V-suc V-zero))) ) 
(KX "n" = ‘suc ~ "n") + “suc (‘suc (‘suc “zero)) 
—( B-X (V-suc (V-suc (V-suc V-zero))) ) 
“suc (~suc (‘suc (‘suc ~zero))) 
B) 
(done (V-suc (V-suc (V-suc (V-suc V-zero))))) 


_ = refl 


And again, the example in the previous section was derived by 
editing the above. 


Exercise mul-eval (recommended) 
Using the evaluator, confirm that two times two is four. 


-- Your code goes here 


Exercise: progress—preservation (practice) 


Without peeking at their statements above, write down the 
progress and preservation theorems for the simply typed lambda- 
calculus. 


-- Your code goes here 


Exercise subject_expansion (practice) 


We say that M reduces to Nif M —-> N, but we can also describe 
the same situation by saying that N expands to M. The preserva- 
tion property is sometimes called subject reduction. Its opposite is 
subject expansion, which holds if M —+ Nand @ - N 8 A im- 
ply @ - M 8 A. Find two counter-examples to subject expan- 
sion, one with case expressions and one not involving case ex- 
pressions. 


-- Your code goes here 
Well-typed terms don’t get stuck 


Normal : Term > Set 
Normal M = V {N} > = (M — N) 


Stuck : Term > Set 
Stuck M = Normal M x - Value M 


postulate 


>~@EM 


~ = (Stuck M) 


postulate 
preserves : V {MN A} 
~@EMBA 
>M—N 
>@tENSA 
postulate 
wttdgs : V {MN A} 
-~@EMBA 
>~M—+N 


> -= (Stuck N) 

Felleisen and Wright, who introduced proofs via progress and 
preservation, summarised this result with the slogan well-typed 
terms don’t get stuck. (They were referring to earlier work by 
Robin Milner, who used denotational rather than operational se- 
mantics. He introduced wrong as the denotation of a term with 
a type error, and showed well-typed terms don’t go wrong.) 

Exercise stuck (practice) 


Give an example of an ill-typed term that does get stuck. 


-- Your code goes here 


Exercise unstuck (recommended) 


Provide proofs of the three postulates, unstuck, preserves, 
and wttdgs above. 


-- Your code goes here 


Reduction is deterministic 


When we introduced reduction, we claimed it was deterministic. 
For completeness, we present a formal proof here. 


conga : V{ABCDE: Set} (f :A>B+C-D-E) 
{s w: A} {t x : B} {uy : C} {vz : D} 
>S=wret=E=xrutyrvezefstuvefwxyz 
congs f refl refl refl refl = refl 


det : V {MM M’} 


> (M — M’) 

> (M — M”) 

-~M =M’ 
Get (E-"— LL") (e-"¢ LL") = cong2 - (det L—-L’ L—-L”) r 
det (E--1 LL’) = (E-+2 VL MOM’) = L-elim (V+—> VL L—L’) 
Get (e=en Leal") . (Bee) = 1-elim (V-— V-X L—-L’) 
det (E-*2 VL. _) (E-+1 LL”) = l-elim (V-— VL L—L”) 
det (E-:2 MM’) (E-:2 — MM”) = congz _:_ refl (det MoM’ M— 
det (€-:2 _ M—M’) (B-X% VM) = 1-elim (V-— VM M—M’) 
det (B-% _) (E-+1 LL”) = l-elim (V-— V-X L—-L”) 
det (B-% VM) (E--2 MoM’) = 1L-elim (V-— VM M=M’) 
det (B-X _) (B-X _) = refl 
det (€-suc M—M’) (&-suc M—M”) = cong ‘suc. (det M—M’ M—M”) 
det (€-case L—-L’) (€-case L—-L”) = conga case [zero= _|suc_= ] 

(det L—L’ L—-L”) refl refl 

det (§-case L—L’) B-zero = l-elim (V-— V-zero L—L’) 
det (€-case L—L’) (B-suc VL) = 1-elim (V+—> (V-suc VL) LOL’ 
det B-zero (€-case MM”) = L-elim (V-— V-zero M—M”) 
det B-zero B-zero = refl 
det (B-suc VL) (E-case L-L”) = L-elim (V-— (V-suc VL) L—-L’ 
det (B-suc _) (B-suc _) = refl 
det B-y B-p = refl 


The proof is by induction over possible reductions. We consider 
three typical cases: 


* Two instances of £--1: 


L— L’ L— L” 

Se ee Some ee eee Ge 
L+M->+L’ -M L+M-—>+L" -M 

By induction we have L’ = L”, and hence by congruence 


L’ -M=EL"- M 


« An instance of £--1; and aninstance of &--2: 


Value L 
L— L’ M— M" 
= Basa a= = beg 
L:-M-—-L'-M L+M-—->L-= M" 


The rule on the left requires L to reduce, but the rule on 
the right requires L to be a value. This is a contradiction 
since values do not reduce. If the value constraint was re- 
moved from £--2, or from one of the other reduction 
rules, then determinism would no longer hold. 


Two instances of B-A: 


Value V Value 
V 
= = B-A 
= B-A 
(Ax PN) ->V—ONOE x:=V] (Ax > 
N) ->V—~->NOE[x?:=V ] 


Since the left-hand sides are identical, the right-hand sides 
are also identical. The formal proof simply invokes ref1l. 


Five of the 18 lines in the above proof are redundant, e.g., the 
case when one rule is &--1 and the other is &--2 is considered 
twice, once with £&--, first and &--2 second, and the other time 
with the two swapped. What we might like to do is delete the re- 
dundant lines and add 


det M-—-M’ M—-M” = sym (det M--M” M—-M’) 


to the bottom of the proof. But this does not work: the termina- 
tion checker complains, because the arguments have merely 
switched order and neither is smaller. 


Quiz 


Suppose we add a new term zap with the following reduction 
rule 


Which of the following properties remain true in the presence of 
these rules? For each property, write either “remains true” or 
“becomes false.” If a property becomes false, give a counterexam- 
ple: 


* Determinism 
* Progress 


* Preservation 
Quiz 


Suppose instead that we add a new term foo with the following 
reduction rules: 


B-foo1 
(A x => *- x) —> foo 


- - B-foo2 
foo —> zero 


Which of the following properties remain true in the presence of 
this rule? For each one, write either “remains true” or else “be- 
comes false.” If a property becomes false, give a counterexample: 


* Determinism 
* Progress 


¢ Preservation 


Quiz 


Suppose instead that we remove the rule &-, from the step rela- 
tion. Which of the following properties remain true in the ab- 
sence of this rule? For each one, write either “remains true” or 
else “becomes false.” If a property becomes false, give a coun- 
terexample: 


* Determinism 
* Progress 


¢ Preservation 
Quiz 


We can enumerate all the computable function from naturals to 
naturals, by writing out all programs of type ~N => “N in lexi- 
cal order. Write £; for the i’th function in this list. 


Say we add a typing rule that applies the above enumeration to 
interpret a natural as a function from naturals to naturals: 


TFL 
T FM 


° 
° 
° 
° 


TFL-M8<N 


And that we add the corresponding reduction rule: 


Which of the following properties remain true in the presence of 
these rules? For each one, write either “remains true” or else “be- 
comes false.” If a property becomes false, give a counterexample: 


* Determinism 
* Progress 


¢ Preservation 


Are all properties preserved in this case? Are there any other al- 
terations we would wish to make to the system? 


Unicode 


This chapter uses the following unicode: 


A U+019B LATIN SMALL LETTER LAMBDA WITH STROKE 
(\G1-) 

A U+0394 GREEK CAPITAL LETTER DELTA (\GD or 
\Delta) 

B U+03B2 GREEK SMALL LETTER BETA (\Gb or 
\beta) 

6 U+03B4 GREEK SMALL LETTER DELTA (\Gd or 
\delta) 

yw U+03BC GREEK SMALL LETTER MU (\Gm or \mu) 

—€ U+0O3BE GREEK SMALL LETTER XI (\Gx or \xi) 

p U+03B4 GREEK SMALL LETTER RHO (\Gr or \rho) 

i U+1D62 LATIN SUBSCRIPT SMALL LETTER I (\_i) 

€ U+1D9C MODIFIER LETTER SMALL C (\%c) 

U+2013 EM DASH (\em) 

U+2084 SUBSCRIPT FOUR (\_4) 


4 

~ U+21A0 RIGHTWARDS TWO HEADED ARROW (\rr-) 
> U+21D2 RIGHTWARDS DOUBLE ARROW (\=>) 

© U+2205 EMPTY SET (\0) 

> U+220B CONTAINS AS MEMBER (\ni) 

£ U+225F QUESTIONED EQUAL TO (\?=) 

F U+22A2 RIGHT TACK (\vdash or \|-) 

8 U+2982 2Z NOTATION TYPE COLON (\:) 


First, we get all our infix declarations out of the way. We list 
separately operators for judgments, types, and terms: As before, 
we have just two types, functions and naturals. The formal defi- 
nition is unchanged: Contexts are as before, but we drop the 
names. Contexts are formalised as follows:A context is just a list 
of types, with the type of the most recently bound variable on 
the right. As before, we let IT’ and A range over contexts. We 
write © for the empty context, and T , A for the context T ex- 
tended by type A. For example for variables which in context T 
have type A. The lookup judgement is formalised by a datatype 
indexed by a context and a type. It looks exactly like the old 
lookup judgment, but with all variable names dropped: They cor- 
respond to the following intrinsically-typed variables: for terms 
which in context I have type A. The judgement is formalised by 
a datatype indexed by a context and a type. It looks exactly like 
the old typing judgment, but with all terms and variable names 
dropped: They correspond to the following intrinsically-typed 
terms: We define a helper function that computes the length of a 
context, which will be useful in making sure an index is within 
context bounds:We can use a natural number to select a type 
from a context: Given the above, we can convert a natural to a 
corresponding de Bruijn index, looking up its type in the con- 
text:We can then introduce a convenient abbreviation for vari- 
ables: With this abbreviation, we can rewrite the Church numeral 
two more compactly: First, computing two plus two on naturals: 
Next, computing two plus two on Church numerals: As before, 
we first need an extension lemma that allows us to extend the 
context when we encounter a binder. Given a map from variables 
in one context to variables in another, extension yields a map 
from the first context extended to the second context similarly 
extended. It looks exactly like the old extension lemma, but with 
all names and terms dropped: With extension under our belts, it 
is straightforward to define renaming. If variables in one context 
map to variables in another, then terms in the first context map 
to terms in the second: Here is an example of renaming a term 
with one free and one bound variable: The structure of the defi- 
nition and the proof is remarkably close to that for renaming. 
Again, we first need an extension lemma that allows us to extend 
the context when we encounter a binder. Whereas renaming con- 


cerned a map from variables in one context to variables in an- 
other, substitution takes a map from variables in one context to 
terms in another. Given a map from variables in one context to 
terms over another, extension yields a map from the first context 
extended to the second context similarly extended: With exten- 
sion under our belts, it is straightforward to define substitution. 
If variables in one context map to terms over another, then terms 
in the first context map to terms in the second: From the general 
case of substitution for multiple free variables it is easy to define 
the special case of substitution for one free variable: Here is the 
example formalised: Say the bound "x" has type ~N => -N, 
the substituted "y" has type ~N, and the free "x" also has 
type ~N => “N. Here is the example formalised: The definition 
of value is much as before: The reflexive and transitive closure is 
exactly as before. We simply cut-and-paste the previous defini- 
tion: We reiterate each of our previous examples. First, the 
Church numeral two applied to the successor function and zero 
yields the natural number two: Next, a sample reduction demon- 
strating that two plus two is four:And finally, a similar sample re- 
duction for Church numerals: As before, every term that is well 
typed and closed is either a value or takes a reduction step. The 
formulation of progress is just as before, but annotated with 
types:The statement and proof of progress is much as before, ap- 
propriately annotated:When our evaluator returns a term N, it 
will either give evidence that N is a value or indicate that it ran 
out of gas:Given aterm L of type A, the evaluator will, for some 
N, return a reduction sequence from L to N and an indication of 
whether reduction finished:The evaluator takes gas and a term 
and returns the corresponding steps: We reiterate each of our 
previous examples. We re-define the term sucy that loops for- 
ever:To compute the first three steps of the infinite reduction se- 
quence, we evaluate with three steps worth of gas:The Church 
numeral two applied to successor and zero:Two plus two is 
four:And the corresponding term for Church numerals: 


DeBruijn: Intrinsically-typed de Bruijn 
representation 


module plfa.part2.DeBruijn where 


The previous two chapters introduced lambda calculus, with a 
formalisation based on named variables, and terms defined sepa- 
rately from types. We began with that approach because it is tra- 
ditional, but it is not the one we recommend. This chapter 
presents an alternative approach, where named variables are re- 
placed by de Bruijn indices and terms are indexed by their types. 
Our new presentation is more compact, using substantially fewer 
lines of code to cover the same ground. 


There are two fundamental approaches to typed lambda calculi. 
One approach, followed in the last two chapters, is to first define 
terms and then define types. Terms exist independent of types, 
and may have types assigned to them by separate typing rules. 
Another approach, followed in this chapter, is to first define 
types and then define terms. Terms and type rules are inter- 
twined, and it makes no sense to talk of a term without a type. 
The two approaches are sometimes called Curry style and Church 
style. Following Reynolds, we will refer to them as extrinsic and 
intrinsic. 


The particular representation described here was first proposed 
by Thorsten Altenkirch and Bernhard Reus. The formalisation of 
renaming and substitution we use is due to Conor McBride. Re- 
lated work has been carried out by James Chapman, James McK- 
inna, and many others. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 

open Eq using ( = ; refl) 

open import Data.Empty using (1; L-elim) 

open import Data.Nat using (N; zero; suc; < ; s? ; zsn; sss) 
open import Relation.Nullary using (-_) 


open import Relation.Nullary.Decidable using (True; toWitness) 


Introduction 


There is a close correspondence between the structure of a term 
and the structure of the derivation showing that it is well typed. 
For example, here is the term for the Church numeral two: 


twof : Term 
twot = WN WoW => WN WoW => S Wom, (- Wow . moM) 


And here is its corresponding type derivation: 


Ftwot : V {A} + OF twot 8 ChaA 
Etwot = FA (FA (F* 3s - (F* DBDs + FE 3Bz))) 


where 
2s = S’ Z 
Dz = 2 


(These are both taken from Chapter Lambda and you can see the 
corresponding derivation tree written out in full here.) The two 
definitions are in close correspondence, where: 


* *_ corresponds to F° 
* A_>_ corresponds to FA 
* _+_ corresponds to _-_ 


Further, if we think of Z as zero and S as successor, then the 
lookup derivation for each variable corresponds to a number 
which tells us how many enclosing binding terms to count to find 
the binding of that variable. Here "z" corresponds to Z or zero 
and "s" corresponds to S Z or one. And, indeed, "z" is bound 
by the inner abstraction (count outward past zero abstractions) 
and "s" is bound by the outer abstraction (count outward past 
one abstraction). 


In this chapter, we are going to exploit this correspondence, and 
introduce a new notation for terms that simultaneously repre- 
sents the term and its type derivation. Now we will write the fol- 
lowing: 


A variable is represented by a natural number (written with Z 
and Ss, and abbreviated in the usual way), and tells us how many 
enclosing binding terms to count to find the binding of that vari- 
able. Thus, # 0 is bound at the inner A, and # 1 at the outer 
A. 


Replacing variables by numbers in this way is called de Bruijn 
representation, and the numbers themselves are called de Bruijn 
indices, after the Dutch mathematician Nicolaas Govert (Dick) de 
Bruijn (1918—2012), a pioneer in the creation of proof assis- 
tants. One advantage of replacing named variables with de Bruijn 
indices is that each term now has a unique representation, rather 
than being represented by the equivalence class of terms under 
alpha renaming. 


The other important feature of our chosen representation is that 
it is intrinsically typed. In the previous two chapters, the defini- 
tion of terms and the definition of types are completely separate. 
All terms have type Term, and nothing in Agda prevents one 
from writing a nonsense term such as *zero + ‘suc *zero 
which has no type. Such terms that exist independent of types 
are sometimes called preterms or raw terms. Here we are going to 
replace the type Term of raw terms by the type T + A of in- 
trinsically-typed terms which in context T have type A. 


While these two choices fit well, they are independent. One can 
use de Bruijn indices in raw terms, or have intrinsically-typed 
terms with names. In Chapter Untyped, we will introduce terms 
with de Bruijn indices that are intrinsically scoped but not typed. 


A second example 
De Bruijn indices can be tricky to get the hang of, so before pro- 


ceeding further let’s consider a second example. Here is the term 
that adds two naturals: 


plus : Term 
plus =u waw => KR wy > KR wy > 
case ~ "m" 
[zero> ~ "n" 


| suc Mm" > ~suc (~ Wwaiw < * Mm" 
"n") ] 


Note variable "m" is bound twice, once in a lambda abstraction 
and once in the successor branch of the case. Any appearance of 
"m" in the successor branch must refer to the latter binding, due 
to shadowing. 


Here is its corresponding type derivation: 


Fplus : OF plus 3 -N>CNACN 
Fplus = Fy (FA (FA (Fcase (F* 3m) (FF 3Bn) 
(sue (IR 2S “ee cS ee Sn). 9) 
where 
D+ 


The two definitions are in close correspondence, where in addi- 
tion to the previous correspondences we have: 


* - zero corresponds to Fzero 

* ~suc_ corresponds to Fsuc 

° case_[zero>_|suc_>_] corresponds to Fcase 
* yp_=_ corresponds to Fu 


Note the two lookup judgments 3m and 3m’ refer to two differ- 
ent bindings of variables named "m". In contrast, the two judg- 
ments 3n and 3n’ both refer to the same binding of "n" but 
accessed in different contexts, the first where "n" is the last 
binding in the context, and the second after "m" is bound in the 
successor branch of the case. 


Here is the term and its type derivation in the notation of this 
chapter: 


plus : V {rT} ~-TFCNZ>CN SCN 
plus = pAA case (# 1) (# 0) (‘suc (# 3 + #0 
# 1)) 


Reading from left to right, each de Bruijn index corresponds to a 
lookup derivation: 


1 corresponds to >m 
0 corresponds to 3n 
3 corresponds to 3+ 
0 corresponds to 3m’ 


* # 1 corresponds to 3n’ 


The de Bruijn index counts the number of Ss constructs in the 
corresponding lookup derivation. Variable "n" bound in the in- 
ner abstraction is referred to as # 0 in the zero branch of the 
case but as # 1 in the successor branch of the case, because of 
the intervening binding. Variable "m" bound in the lambda ab- 
straction is referred to by the first # 1 in the code, while vari- 
able "m" bound in the successor branch of the case is referred to 
by the second # 0. There is no shadowing: with variable names, 
there is no way to refer to the former binding in the scope of the 
latter, but with de Bruijn indices it could be referred to as # 2. 


Order of presentation 


In the current chapter, the use of intrinsically-typed terms neces- 
sitates that we cannot introduce operations such as substitution 
or reduction without also showing that they preserve types. 
Hence, the order of presentation must change. 


The syntax of terms now incorporates their typing rules. The def- 
inition of substitution is somewhat more involved, but incorpo- 
rates the trickiest part of the previous proof, the lemma establish- 
ing that substitution preserves types. The definition of reduction 
incorporates preservation, which no longer requires a separate 
proof. 


Syntax 


We now begin our formal development. 


infix 4 -_ 
infix 4 53_ 
infixl 5 


intixr 7 = 


infix 5 *_ 
infix 5 yw. 
INnTLXt. F 
infix 8 “suc_ 
infix 9 ~ 


infix 95S_ 
infix 9 #. 


Since terms are intrinsically typed, we must define types and 
contexts before terms. 


Types 


data Type : Set where 
=: Type - Type > Type 


“‘N =: Type 
Contexts 


data Context : Set where 
@ : Context 
_,_ : Context > Type - Context 


_ : Context 
_=@, NaN, N 


is a context with two variables in scope, where the outer bound 
one has type ~N = “N, and the inner bound one has type ~N. 


Variables and the lookup judgment 
Intrinsically-typed variables correspond to the lookup judgment. 


They are represented by de Bruijn indices, and hence also corre- 
spond to natural numbers. We write 


S_ : V {Fr AB} 
+T3A 


Constructor S no longer requires an additional parameter, since 
without names shadowing is no longer an issue. Now construc- 
tors Z and S correspond even more closely to the constructors 
here and there for the element-of relation _€_ on lists, as 
well as to constructors zero and suc for natural numbers. 


For example, consider the following old-style lookup judgments: 


° & F Won 8 ~N > ~N WoW 8 ~N =) WoW 8 ~N 

° & P Won 8 ~N > ~N , WoW 8 ~N > "ys" 8 ~N => 
~N 

1:8, N2°N, ‘N3°‘N 

_=2 

—:@, N2-N, N39 NSN 

=SZ 


In the given context, "z" is represented by Z (as the most re- 
cently bound variable), and "s" by S Z (as the next most re- 
cently bound variable). 


Terms and the typing judgment 


Intrinsically-typed terms correspond to the typing judgment. We 
write 


rea 


data + _: Context - Type - Set where 


oT ,AEFB 


The definition exploits the close correspondence between the 
structure of terms and the structure of a derivation showing that 
it is well typed: now we use the derivation as the term. 


For example, consider the following old-style typing judgments: 


~N 
e Wo ° N > N . WoW 8 N KF Won 
WoW 8 N 
e '%) P WoW 8 N > ~N - WoW S N K Wo ( 
Won wo") 8 N 
e '%) ; WoW 9 ~N > ~N KF (A WoW => Wo ( 
Won "ZM)) 8 ~N > ~N 


_1:@, -N2°N, NEON 
1:8, N2=°N, NECN= CN 
_=°S8Z 

_:@, -N2°N, NECN 

= S25 2 

_1:@, N2°N, NECN 

C=" S241 e3 Z) 


The final term represents the Church numeral two. 


Abbreviating de Bruijn indices 


length : Context +N 
length 2 zero 
length (T , _) suc (length T) 


lookup : {f : Context} - {n : N} - 
lookup {(_ , A)} {zero} (sss zsn 
lookup {(F , _)} {(suc n)} (sss p) 


(p 


) 


: n < length T) > Type 
A 
lookup p 


We intend to apply the function only when the natural is shorter 
than the length of the context, which is witnessed by p. 


count : V {f} > {n : N} > (pings 
count {_ , _} {zero} (sss zsn) 
count {Ff , } {(suc n)} (sss p) 


# =: V {T} 
> (n: N) 


ipl [) +f 3 lookup p 


: (count p) 


> {ne : True (suc n s? length [)} 


> VT - lookup (toWitness néf ) 
# =n {n&} = ~*~ count (toWitness n€&) 


Function #_ takes an implicit argument ne? that provides evi- 
dence for n to be within the context’s bounds. Recall that True, 
_<?_ and toWitness are defined in Chapter Decidable. The 
type of ne? guards against invoking #_ onan n that is out of 
context bounds. Finally, in the return type nef is converted to a 
witness that n is within the bounds. 


F (‘N= ‘N) = ‘N= °N 
xX (# 1. (#1- #60)) 


Test examples 


We repeat the test examples from Chapter Lambda. You can find 
them here for comparison. 


two: V {fT} -F FON 
two = “suc ‘suc “zero 


plus: V {fT} >F Rk N= 
plus = u X X (case (#1) (# 0) (‘suc (#3: #0: #1))) 


242: V {Tf} -F FON 
2+2 = plus : two « two 


We generalise to arbitrary contexts because later we will give ex- 
amples where two appears nested inside binders. 


Ch : Type - Type 
ChA = (A=A)=>A2A 


T A}oPFerRCHA 


twoc : V {i 
KX (# 1+: (#1: #0)) 


twos = 


plusc : V {fF A} = by ChA=ChA=ChA 
pluss =KKXX ae -#1:+ (#2+#1-+ #0)) 


succ : V {fF} > PF FE N=  N 


succ = X ‘suc (# 0) 


242° : V {fF} -F FN 
2+2° = plus© : twoc « twos + suc® : “zero 


As before we generalise everything to arbitrary contexts. While 
we are at it, we also generalise two* and plus‘ to Church nu- 
merals over arbitrary types. 


Exercise mul (recommended) 


Write out the definition of a lambda term that multiplies two 
natural numbers, now adapted to the intrinsically-typed de 
Bruijn representation. 


-- Your code goes here 


Renaming 


Renaming is a necessary prelude to substitution, enabling us to 
“rebase” a term from one context to another. It corresponds di- 
rectly to the renaming result from the previous chapter, but here 
the theorem that ensures renaming preserves typing also acts as 
code that performs renaming. 


ext : V {PF A} 

> (V {A} - rFOIA- A 35 A) 
> (V {AB} -F ,B3A+A,B3 A) 
ext p Z = Z 

ext p (S x) = S (p x) 


Let op be the name of the map that takes variables in TI to vari- 
ables in A. Consider the de Bruijn index of the variable in T , 
B: 


- If itis Z, which has type Bin T , B, then wereturn 2, 
which also has type Bin A , B. 


* If itis S x, for some variable xin I, then op x isa vari- 
able in A, andhence S (p x) isavariablein A , B. 


rename : V {F A} 
~ (V {A} =F 3A3A39 A) 


> (V {A} -T r+ 
rename p (° x) 
rename p (X N) 
rename p (L : M) 
rename p (zero) 
rename p (‘suc M) 
rename p (case L M N) 
rename p (uy N) 


~ (p Xx) 

K (rename (ext p) N) 

(rename p L) - (rename p M) 

“zero 

“suc (rename p M) 

case (rename p L) (rename p M) (rename (e 
(rename (ext p) N) 


Let po be the name of the map that takes variables in TI to vari- 
ables in A. Let’s unpack the first three cases: 


* If the term is a variable, simply apply op. 


* If the term is an abstraction, use the previous result to ex- 
tend the map op suitably and recursively rename the body 
of the abstraction. 


* If the term is an application, recursively rename both the 
function and the argument. 


The remaining cases are similar, recursing on each subterm, and 
extending the map whenever the construct introduces a bound 
variable. 


Whereas before renaming was a result that carried evidence that 
a term is well typed in one context to evidence that it is well 
typed in another context, now it actually transforms the term, 
suitably altering the bound variables. Type checking the code in 
Agda ensures that it is only passed and returns terms that are 
well typed by the rules of simply-typed lambda calculus. 


Mo : 


Mo 


Mi : 


Mi 


He 
U 
eZ 


(# 


ll 
x & 


salisss 
a 


%Z 


(# 


ll 
x & 


: rename S_ Mo 


refl 


ge 


In general, rename S_ will increment the de Bruijn index for 
each free variable by one, while leaving the index for each bound 
variable unchanged. The code achieves this naturally: the map 
originally increments each variable by one, and is extended for 
each bound variable by a map that leaves it unchanged. 


We will see below that renaming by S_ plays a key role in sub- 
stitution. For traditional uses of de Bruijn indices without intrin- 
sic typing, this is a little tricky. The code keeps count of a num- 
ber where all greater indexes are free and all smaller indexes 
bound, and increment only indexes greater than the number. It’s 
easy to have off-by-one errors. But it’s hard to imagine an off-by- 
one error that preserves typing, and hence the Agda code for in- 
trinsically-typed de Bruijn terms is intrinsically reliable. 


Simultaneous Substitution 


Because de Bruijn indices free us of concerns with renaming, it 
becomes easy to provide a definition of substitution that is more 
general than the one considered previously. Instead of substitut- 
ing a closed term for a single variable, it provides a map that 
takes each free variable of the original term to another term. Fur- 
ther, the substituted terms are over an arbitrary context, and 
need not be closed. 


exts : V {fF A} 
> (V {A} - rS3A- At A) 


> (V {AB} >-F ,BIA+A, BEA) 
er 


exts o (S x) rename S_ (o x) 


Let o be the name of the map that takes variables in T to terms 
over A. Consider the de Bruijn index of the variable in T , B: 


- Ifitis z, which has type Bin I , B, then we return the 
term ~ Z, which also has type Bin A , B. 


* If itis S x, for some variable x in I, then o xis aterm 
in A,and hence rename S_ (o x) isatermin A , B. 


This is why we had to define renaming first, since we require it 
to convert a term over context A to a term over the extended 
context A , B. 


subst : V {f A} 
~ (V {A} -F 3ASAFA) 


> (V {A} -F FASAEFA) 
subst o (~ x) 0 X 
subst K (subst (exts o) N) 
subst (subst o L) : (subst o M) 


“zero 

“suc (subst o M) 

case (subst o L) (subst o M) (subst (exts 
wu (subst (exts o) N) 


Pad 
-_ Zz 
Hou wo od bod wot 


wn 

[= 

oO 

wn 

ct 
aqaqgqaqgaaqaaa 


Let o be the name of the map that takes variables in T to terms 
over A. Let’s unpack the first three cases: 


* If the term is a variable, simply apply o. 


* If the term is an abstraction, use the previous result to ex- 
tend the map o suitably and recursively substitute over 
the body of the abstraction. 


* If the term is an application, recursively substitute over 
both the function and the argument. 


The remaining cases are similar, recursing on each subterm, and 


extending the map whenever the construct introduces a bound 
variable. 


Single substitution 


[.]: V {F A B} 

>F ,BEA 

+>TEB 

o>TEA 

_[_] {7} {A} {B} NM = subst {fF , B} {Tf} o {A} N 
where 


o:VfA}oF ,BIAHTEA 
o Z = M 


o (Sx) = °x 


In a term of type A over context I , B, we replace the variable 
of type B by a term of type B over context I. To do so, we use 
a map from the context IT , B to the context I, that maps the 
last variable in the context to the term of type B and every other 
free variable to itself. 


Consider the previous example: 


é (A mom => + Wom, ( m7) ) [ "gs" := 
suc® ] yields A "z" > suc® - (suc® + > "z") 


7 @y *N = “N 
M2 =X#1: (#1: #0) 


M3 ‘N = “N 
Ms = X ‘suc # 0 
Ma : @FE N= N 
Ma = X (X “suc # 0) : ((X “suc # 0) « # 0) 


Previously, we presented an example of substitution that we did 
not implement, since it needed to rename the bound variable to 
avoid capture: 


e (A Ws > * Wee ‘ % wy") [ a da = s Wye" 
*zero ] should yield A "2" 3 > "z" - (* MxM 
~ zero) 


Ms io, 
Ms =XK#0: #1 


Me: @, 
Me = #0: “zero 


Mz: F (‘N= “N) = “N 
1 


“zero)) 


_=refl 


The logician Haskell Curry observed that getting the definition of 
substitution right can be a tricky business. It can be even trickier 
when using de Bruijn indices, which can often be hard to deci- 
pher. Under the current approach, any definition of substitution 
must, of necessity, preserve types. While this makes the defini- 
tion more involved, it means that once it is done the hardest 
work is out of the way. And combining definition with proof 
makes it harder for errors to sneak in. 


Values 


data Value : V {f A} > fF FA = Set where 


> Value (X N) 


V-zero : V {fT} 


~ Value (‘zero {}) 


V-suc : V {Tf} {V: PF F ‘N} 
> Value V 


~ Value (‘suc V) 


Here zero requires an implicit parameter to aid inference, 
much in the same way that [] did in Lists. 


Reduction 


The reduction rules are the same as those given earlier, save that 
for each term we must specify its types. As before, we have com- 
patibility rules that reduce a part of a term, labelled with &, and 
rules that simplify a constructor combined with a destructor, la- 
belled with B: 


infix 2 —_ 


data — : V {f A} - (TF A) = (F F A) = Set where 


E--1 : V {fF A B} {L L’ : F FA = B} {M: TF + A} 
2-L-—L 


E--2 : V {fF A B} {V: T + A= B} {MM : TF FE A} 
~ Value V 


~ Value W 


> “suc M— “suc M’ 


&-case : V {f A} {L L’ : F FN} {M: PT FA} {N: FT , “NE A} 
-L—-L’ 


~ case LMN— case L’ MN 


B-zero : V {Ff A} {M: fT FA} {N:T , “NEF A} 


- case ‘zeroMN—M 


B-suc : V {f A} {V: TF ‘N} {M: F + A} {N: F , “NE A} 
> Value V 


~ case (“suc VV) MN—N[V ] 


B-u : V {f A} {N: F , AF A} 


>~uUN—NTUN ] 


The definition states that M —> N can only hold of terms M and 
N which both have type T + A for some context I and type A. 
In other words, it is built-in to our definition that reduction pre- 
serves types. There is no separate Preservation theorem to prove. 
The Agda type-checker validates that each term preserves types. 


In the case of 8 rules, preservation depends on the fact that sub- 
stitution preserves types, which is built-in to our definition of 
substitution. 


Reflexive and transitive closure 


infix 2 —»_ 
infix 1 begin_ 
infixr 2 —( ) 
infix 3 5 


data —» {Ff A}: (F - A) > ([ F A) > Set where 


—() : (L: PFA) {MN : TF A} 


begin. : V {f A} {MN:T Fb A} 


>M—+N 
begin M—--N = M—N 


Examples 
_ 1 twoc + suc* + “zero {@} —» “suc “suc “zero 
begin 
twoc + suc* + “zero 
—( &-+1 (B-% V-%) ) 
(X (succ + (succ : #0))) + “zero 
—( B-X V-zero } 
suc® + (suc® + “zero) 
—+( E-+2 V-X (B-X V-zero) ) 
suc® + ‘suc “zero 


—( B-X (V-suc V-zero) ) 
“suc (suc “zero) 
i 


As before, we need to supply an explicit context to * zero. 


_ : plus {o} + two - two —» “suc “Suc “suc “suc “zero 


plus «: two : two 
—( &--+1 (&-+1 B-y) ) 

(KX X case (* S Z) (~ Z) (‘suc (plus + ~* Z + *~ S Z))) + two = twe 
—( E-+1 (B-X (V-suc (V-suc V-zero))) ) 

(X case two (* Z) (‘suc (plus + ~ Z+ * S Z))) + two 
—( B-X (V-suc (V-suc V-zero)) } 

case two two (‘suc (plus : ~ Z : two)) 
—( B-suc (V-suc V-zero) } 

“suc (plus : ‘suc “zero : two) 
=f EoSlic -(Eo+p. (E-*a Bat)) 9 

“suc ((A X case (° S Z) (* Z) (‘suc (plus : * Z:+ ~*~ S Z))) 

- “suc “zero : two) 

—( &E-suc (E-+1 (B-X (V-suc V-zero))) } 

“suc ((A case (‘suc “zero) (° Z) (‘suc (plus + ~Z:+ *°S§Z))): 
—( &-suc (B-X% (V-suc (V-suc V-zero))) ) 

“suc (case (‘suc “zero) (two) (*suc (plus - ~ Z + two))) 
—( &-suc (B-suc V-zero) ) 


“suc (‘suc (plus +: “zero : two)) 
—( E-suc (&-suc (E-+1 (E-+1 B-u))) ) 
“suc (‘suc ((X X case (~ S Z) (° Z) (‘suc (plus + ~ Z +: * S Z))) 


- “zero + two)) 

—( &E-suc (&-suc (&-+1 (B-X V-zero))) ) 

“suc (‘suc ((X case “zero (* Z) (°suc (plus : ~*~ Z:+ *S2Z))):t 
—( &-suc (&-suc (B-X% (V-suc (V-suc V-zero)))) ) 

“suc (“suc (case “zero (two) (‘suc (plus : ~ Z : two)))) 
—( &-suc (&-suc B-zero) } 

“suc (‘suc (‘suc (‘Suc “zero))) 

q 


: plus© + twoc + twoc +: suc® + ‘zero —» “suc “suc “suc “suc “zero 


begin 

plus© + twos + twoc + suc® : “zero 
—( E-+1 (&-+1 (&-+1 (B-X V-X%))) ) 

(XX XK twoc: ~SZ+(°SSZ+:*SZ-+ * Z)) + twot + succ : * 
—+( =a (E--a (B-A Vex)) } 

(X KX twoc : ~SZ-+: (twoc: ~ SZ: * Z)) + suct + “zero 
—>( §="2 (B+ V=A) ) 

(KX twoc + succ + (twos + succ : ~ Z)) + “zero 
—( B-X V-zero ) 

twos + succ + (twoc + suc® : “zero) 
—( &-+1 (B-% V-%) ) 


KX succ + (succ + ~ Z)) + (twos + suc® + “zero) 
E-+2 V-K (&-+1 (B-X V-X)) ) 


| 


K succ + (succ + ~ Z)) + ((X suct + (suce + * Z)) : 


| 


( 
f 
( 
{ E-+2 V-X (B-X V-zero) } 

(X succ + (succ + * Z)) + (suc® + (suc® + ‘zero)) 
( E-+2 V-XK (E-+2 V-X (B-X V-zero)) ) 

(X succ + (succ + * Z)) + (suc® + “suc “zero) 

{ E-+2 V-XK (B-X (V-suc V-zero)) ) 
( 
{ 
Ss 
( 
Ss 
{ 


| 


| 


K succ + (succ + ~ Z)) + “suc (‘suc ~zero) 
B-X (V-suc (V-suc V-zero)) ) 
uc® + (suc® + “suc (suc ~“zero)) 
E-+2 V-K (B-X (V-suc (V-suc V-zero))) ) 
uc® + “suc (‘suc (‘suc “zero)) 
B-X (V-suc (V-suc (V-suc V-zero))) ) 
“suc (~suc (‘suc (‘suc “zero))) 


— 


> 


— 


Values do not reduce 


Exercise v-— (practice) 


-- Your code goes here 


Progress 


data Progress {A} (M: @+t A) : Set where 


step : V {N : @F A} 
~M—N 


- Progress M 


done : 


“zero) 


We have now completed all the definitions, which of necessity 
subsumed some of the propositions from the earlier develop- 
ment, namely that substitution and reduction preserves types. 
We now turn to proving the remaining results from the previous 
development. 


Following the previous development, show values do not reduce, 
and its corollary, terms that reduce are not values. 


Value M 


- Progress M 


progress : V {A} > (M: @t A) = Progress M 


progress (* ()) 
progress (X N) = done V-X 
progress (L : M) with progress L 

| step L—-L’ = step (—--1 L—-L’) 

| done V-X with progress M 

| step M—M’ = step (€-:2 V-X M—M’) 

wae | done VM = step (B-A VM) 
progress (zero) = done V-zero 


progress (‘suc M) with progress M 


| step M—M’ = step (&-suc M—M’) 
ips | done VM = done (V-suc VM) 
progress (case LM N) with progress L 
oe | step L—-L’ = step (&-case L—L’) 
| done V-zero = step (B-zero) 
ae | done (V-suc VL) = step (f-suc VL) 
progress (u N) = step (B-y) 


Evaluation 


Before, we combined progress and preservation to evaluate a 
term. We can do much the same here, but we no longer need to 
explicitly refer to preservation, since it is built-in to the defini- 
tion of reduction. 


record Gas : Set where 
constructor gas 
field 
amount : N 


data Finished {f A} (N :F EFA) : Set where 


done : 
Value N 


~ Finished N 


out-of-gas : 


Finished N 


data Steps {A} : 2+ A = Set where 


steps : {LN : oF A} 
>~L—oN 
~ Finished N 


> Gas 


- Steps L 
eval (gas zero) L 
eval (gas (suc m)) L with progress L 
| done VL 
| step {M} L—M with eval (gas m) M 
| steps M-N fin 


steps (L #) out-of-gas 


steps (L #) (done VL) 


steps (L —( L-—M ) Mn 


The definition is a little simpler than previously, as we no longer 
need to invoke preservation. 


Examples 


such : @F N 
sucu = uw (suc (# @)) 


_ : eval (gas 3) sucy = 
steps 
(u “suc * Z 
—( B- ) 
“suc (u “suc ~ Z) 
—( &-suc B-y ) 
“suc (‘suc (uw “suc ~ Z)) 
—( €-sue (E-sue B-l) } 
“suc (‘suc (‘suc (uw “suc ~* Z))) 
B) 
out-of -gas 
_ =refl 


_ : eval (gas 100) (twoc : suc* « “zero) = 
steps 
((X (K * (SZ) + ( (S Z) + ~ Z))) + (K “suc * Z) + “zero 


=>( €=+7. (B= V=A) ) 
(KX (X “suc * Z) + ((K ‘suc * Z) + * Z)) + “zero 
—( B-X V-zero ) 
(X “suc ~ Z) + ((K ‘suc ~ Z) + ~zero) 
—( E-+2 V-X (B-X V-zero) ) 
(KX “suc ~ Z) + “suc “zero 
—( B-X (V-suc V-zero) ) 
“suc (suc “zero) 
B) 
(done (V-suc (V-suc V-zero))) 


_ =refl 


_ : eval (gas 100) (plus - two - two) = 


steps 


case (~ (S Z)) (* Z) (‘suc (* (S (S (S Z))) «+ * Z + * (S Z))) 
* “suc (‘suc *“zero) 
- “suc (‘suc “zero) 


at S>¢e (Ss*a (Pa) 2? 


(xX 
(x 
case (~ (S Z)) (° Z) 
(*suc 
((u 
(X 
(Xx 
case (~ (S Z)) (* Z) (‘suc (* (S (S (S Z))) » * Z + * (S 
SZ 
* ~ (S Z))))) 


* “suc (‘suc “zero) 
* “suc (‘suc zero) 
—( &-+1 (B-% (V-suc (V-Suc V-zero))) ) 


(x 
case (‘suc (‘suc ~zero)) (° Z) 
(*suc 
((u 
(X 
(X 
case (~ (S Z)) (° Z) (suc ( (S (S (S Z))) « * Z > (SZ 
» 7 


e ” (S Z)))) 
* “suc (‘suc “zero) 
—( B-X (V-suc (V-suc V-zero)) ) 
case (‘suc (‘suc ~zero)) (suc (‘suc ~zero)) 


case (" (5. 2)) (2) (sue (" (5G (3 Z2))) * 24> (8 2) 
a” 7 


- “suc (‘suc ~“zero))) 
—( B-suc (V-suc V-zero) ) 
“suc 


case (~ (S Z)) (* Z) (‘suc (~ (S (S (S Z))) - ~ Z + * (S Z)) 
- “suc ‘zero 
- “suc (*suc “zero)) 


at S-Sule (G-ra (eo*a Boil)) J 


SUC 
((X 
(x 
case (* (S Z)) (* Z) 
(suc 
((u 
(Xx 
(Xx 
case (~ (S Z)) (* Z) (‘suc (* (S (S (S Z))) + *Z:+~* (§ 
» 7 
it *(S Z))))) 
- “suc “zero 


- “suc (*suc “zero)) 
—( E-suc (E-+1 (B-X (V-suc V-zero))) ) 
“suc 
((X 
case (‘suc “zero) (° Z) 
(*suc 


case (~ (S Z)) (* Z) (‘suc (* (S (S (S Z))) + * ZZ: * (S 
» 7 
- ~ (S Z)))) 
- “suc (*suc “zero)) 
—( &—-suc (B-X% (V-suc (V-suc V-zero))) ) 
“suc 
case (‘suc “zero) (‘suc (‘suc ~zero)) 
(~suc 
((u 
(X 


(X 
case (" (5 2)) (2) (sue (" (9G (5 2))) * 24) (8 2) 
a 2 


- “suc (‘suc “zero))) 
—( &-suc (B-suc V-zero) ) 


case (~ (S Z)) (~ Z) (‘suc (~ (S (S (S Z))) «+ * Z + * (SZ) 
- “zero 
- “suc (‘suc “zero))) 


—( &-suc (€-suc (E--a (€--a B-p))) ) 


SUC 
(~suc 
((X 
(x 
case (* (S Z)) (* Z) 
(suc 
((u 
(X 
(x 
case (~ (S Z)) (* Z) (‘suc (* (S (S (S Z))) «© }Z + > ( 
7 
_ ~ (S Z))))) 
- “zero 


- “suc (‘suc “zero))) 
—( &E-suc (&-suc (&-+1 (B-X V-zero))) } 
“suc 
(~suc 
((X 
case ‘zero (* Z) 
(suc 


case (~ (S Z)) (* Z) (‘suc ( (S (S (S Z))) : °Z:* (5 
» 7 
* ~ (S Z)))) 
- “suc (‘suc “zero))) 
—( &E-suc (&-suc (B-% (V-suc (V-suc V-zero)))) ) 
“suc 
(~suc 
case ‘zero (‘suc (‘suc “zero)) 
(suc 
((u 


(x 
(Xx 
case (~ (S Z)) (* Z) (‘suc (* (S (S (S Z))) + * Z> 
© ° Z 
- “suc (*suc “zero)))) 
—( &-suc (&-suc B-zero) ) 
“suc (*suc (‘suc (‘suc “zero))) 


(done (V-suc (V-suc (V-suc (V-suc V-zero))))) 


: eval (gas 100) (plus* + twoc + two*c + suc‘* : “zero) = 
steps 


(Ao (SS 2) > ey a eS 2) tS 2). 


Pe Se) ef eZ) ®  2y7) 
eA” UZ) et" (8 2) * ° 2))) 


* (KX “suc ~ Z) 
- “zero 
=e( Eoég. (Es+a (E-*a. (Be VA) )) > 
(XK 
(Xx 
(Xx 
(K.(A" (8S Z) = ( (SZ) = * -Z))) "(S$ 2) 
(" (8 (S Z)) = ~ (SZ) = ~ Zy))) 
» (KX (K* (SZ) * ( (SZ) * * Z))) 
* (KX “suc ~ Z) 
- “zero 
—( E-+1 (E-+1 (B-K V-A)) ) 
(x 
(XK 


(A (A (S Zp CS zy * 2)))  ” Se 2) 
CO CK © SZ) oe (SZ) a WZ) oe SZ) ce ZY) 


* (KX “suc ~ Z) 
- “zero 

—( &-+1 (B-% V-%) ) 
(XK 


(K(X * (SZ) + ( (SZ) + * Z))) + (K “suc * Z) : 
((K (K ~ (SZ) @ (CS: Z) 2) )) (Kh “sue 2) * * Z)) 
- ‘zero 
—{ B-X V-zero } 
(KX (X* (SZ) + (* (S Z) + * Z))) + (K “suc ~ Z) + 
((K (K * (SZ) + (* (SZ) + * Z))) + (K “suc * Z) + “zero) 
—( &--+1 (B-X V-X) ) 
(KX (X “suc * Z) + ((K ‘suc * Z) + * Z)) : 


* (Sz 


((X (XK * (SZ) + (* (SZ) + * Z))) + (K “suc * Z) + “zero) 
—( &-+2 V-K (E-+1 (B-% V-X)) ) 

(KX (KX “suc ~ Z) + ((X “suc * Z) + * Z)) + 

((K. (KH “Suc. ~ Z) = ((% “sue ~ Z) * ~ Z)) = zero) 
—( E-+2 V-X (B-X V-zero) ) 

(X (KX “suc ~ Z) + ((X “suc * Z) + * Z)) + 

((X “suc * Z) + ((X “suc * Z) + “zero)) 
—( E-+2 V-X (E-+2 V-X (B-X V-zero)) ) 

(X (KX “suc ~ Z) + ((X “suc * Z) + ~*~ Z)) + 

((X “suc ~ Z) + “suc “zero) 
—( E-+2 V-X (B-X (V-suc V-zero)) } 

(X (K “suc *~ Z) + ((K ‘suc ~ Z) + ~ Z)) + “suc (‘suc “zero) 
—( B-X (V-suc (V-suc V-zero)) } 

(X “suc * Z) + ((X “suc ~ Z) + “suc (*suc “zero)) 
—( E-+2 V-X (B-X (V-suc (V-suc V-zero))) ) 

(X “suc * Z) + ‘suc (‘suc (*suc “zero)) 


—( B-X (V-suc (V-suc (V-suc V-zero))) } 
“suc (~suc (‘suc (‘suc “zero))) 
H) 
(done (V-suc (V-suc (V-suc (V-Suc V-zero))))) 
_=refl 


We omit the proof that reduction is deterministic, since it is te- 
dious and almost identical to the previous proof. 


Exercise mul—-example (recommended) 
Using the evaluator, confirm that two times two is four. 


-- Your code goes here 


Intrinsic typing is golden 


Counting the lines of code is instructive. While this chapter cov- 
ers the same formal development as the previous two chapters, it 
has much less code. Omitting all the examples, and all proofs 
that appear in Properties but not DeBruijn (such as the proof that 
reduction is deterministic), the number of lines of code is as fol- 
lows: 


Lambda 216 
Properties 235 


DeBruijn 276 


The relation between the two approaches approximates the 
golden ratio: extrinsically-typed terms require about 1.6 times as 
much code as intrinsically-typed. 


Unicode 


This chapter uses the following unicode: 


(o} U+03C3 GREEK SMALL LETTER SIGMA (\Gs or 
\sigma) 

o U+2080 SUBSCRIPT ZERO (\_0) 

U+20B3 SUBSCRIPT THREE (\_3) 

U+2084 SUBSCRIPT FOUR (\_4) 

U+2085 SUBSCRIPT FIVE (\_5) 

U+2086 SUBSCRIPT SIX (\_6) 

U+2087 SUBSCRIPT SEVEN (\_7) 

U+2260 NOT EQUAL TO (\=n) 


+ AYA Qa Fw 


Show that a double substitution is equivalent to two single sub- 
stitutions. We repeat the test examples from Chapter DeBruijn, in 
order to make sure we have not broken anything in the process 
of extending our base calculus. 


More: Additional constructs of simply- 
typed lambda calculus 


module plfa.part2.More where 


So far, we have focussed on a relatively minimal language, based 
on Plotkin’s PCF, which supports functions, naturals, and fix- 
points. In this chapter we extend our calculus to support the fol- 
lowing: 


* primitive numbers 

* let bindings 

* products 

* an alternative formulation of products 
* sums 

* unit type 

an alternative formulation of unit type 
* empty type 

* lists 


All of the data types should be familiar from Part I of this text- 
book. For let and the alternative formulations we show how they 
translate to other constructs in the calculus. Most of the descrip- 
tion will be informal. We show how to formalise the first four 
constructs and leave the rest as an exercise for the reader. 


Our informal descriptions will be in the style of Chapter Lambda, 
using extrinsically-typed terms, while our formalisation will be in 
the style of Chapter DeBruijn, using intrinsically-typed terms. 


By now, explaining with symbols should be more concise, more 
precise, and easier to follow than explaining in prose. For each 
construct, we give syntax, typing, reductions, and an example. 


We also give translations where relevant; formally establishing 
the correctness of translations will be the subject of the next 
chapter. 


Primitive numbers 


We define a Nat type equivalent to the built-in natural number 
type with multiplication as a primitive operation on numbers: 


Syntax 
Ay) (By: tC. SS. he Types 
Nat primitive 


natural numbers 


L, M, N ::=... Terms 
con c constant 
L ** M 
multiplication 
Mey. We $29 eats Values 
con c constant 
Typing 


The hypothesis of the con rule is unusual, in that it refers to a 
typing judgment of Agda rather than a typing judgment of the 
defined calculus: 


ci: N 


con 
T F conc: Nat 


T 
T 


TrFL** M: Nat 


Reduction 


A rule that defines a primitive directly, such as the last rule be- 
low, is called a 6 rule. Here the 6 rule defines multiplication of 
primitive numbers in terms of multiplication of naturals as given 
by the Agda standard prelude: 


L— L’ 
_ —- €-*4 
L**M—>tL' **M 
M — M’ 
_ — &-*9g 


vVc*x* M—VvV~-* M’ 


= = 6 * 
con c ~* con d — con (c * d) 


Example 


Here is a function to cube a primitive number: 


cube : OF Nat > Nat 
cube =A x > x >* x ** x 


Let bindings 


Let bindings affect only the syntax of terms; they introduce no 
new types or values: 


Syntax 
L, M, N ::=... Terms 
“let x “= M ‘in N let 
Typing 
TFMB8A 
T, x 8AKFN8B 
= = ik et 


Reduction 


M —> M’ 
Sooseais 7 E-let 
“let x “= M ‘in N — ‘let x “= M’' “inwN 
B-let 
“let x “= V-inN—-N [x :=V ] 
Example 


Here is a function to raise a primitive number to the tenth 
power: 


expl10 : O F Nat > Nat 


expl0 =A x > ‘let x2 ‘=x °* x Cin 
“let x4 “= x2 ** x2 “in 
“let x5 °= x4 ** x Cin 


Translation 


We can translate each let term into an application of an abstrac- 
tion: 


(‘let x “=M in N) +t = (A x > (N t)) += (M ft) 


Here M ¢ is the translation of term M from a calculus with the 
construct to a calculus without the construct. 


Products 
Syntax 
Pep By. Ee SS hs Types 
A -°x B product 
type 
L, M, N ::=... Terms 
Pe Mtg. SNe) pair 


“proja L project 
first component 

‘proj2 L project 
second component 


Vigo WeSch= cats Values 
SE OM ge We) pair 

Typing 

TEFMSA 

TEFENSB 


—--------------- ~proji or *xX-Ey 


—--------------- “proj2 or ° x—-E2 


Reduction 

M— M’ 

ee eee ee ee nt ee ee E-{,)4 
“(M,N)—-->-(M’,N) 

N — N’ 

ag ee Re SOP a a ee E-(, Jo 
ON p Bop Se OC gor) 

L— L’ 

SSS a Se §-proji 
~proji L — “‘proji L’ 

L— L’ 

SRS SS Sa See §-pro ja 


~proj2 L — “‘proj2 L’ 


Example 


Here is a function to swap the components of a pair: 


swapx : OFA*x BOB XA 
swapx =Az-> °( ‘proj2 z, “proji z ) 


Alternative formulation of products 


There is an alternative formulation of products, where in place of 
two ways to eliminate the type we have a case term that binds 
two variables. We repeat the syntax in full, but only give the new 
type and reduction rules: 


Syntax 

By? By (CSS fe as Types 
A -~x B product 

type 

Ly My (Ni 882 soecs Terms 
“(M,N) pair 
casex L [{ x, y)>™M ] case 

Vip Wo Sop= Values 
“CV pW) pair 

Typing 

TFL8A*x B 

T, xs8A, y8BEN8BC 


SSS ae hes 3 = casex or x-E 


TF casex L [( x, y)>NJ]8C 
Reduction 


L— L! 


E-casex 
casex L [( x, y )}> N ] — casex L’ [( x, y )?>N 


Example 


Here is a function to swap the components of a pair rewritten in 
the new notation: 


swapx-case : OFA ‘x BBB XA 
swapx-case = A z > casex z 
Keg YS ar ee 


Translation 


We can translate the alternative formulation into the one with 
projections: 


(casex L [(( x, y )> N ]) t 
“let z*= (L t) “in 

“let x *= “proji z “in 

“let y “= “proj2 z “in 

(N tT) 


Here z is a variable that does not appear free in N. We refer to 
such a variable as fresh. 


One might think that we could instead use a more compact trans- 


lation: 


-—— WRONG 
(casex L [Cx > -y 72 NW 1): t 
(Nop) ob: S= “project? dp by sprog: (b> 7) 


] 


But this behaves differently. The first term always reduces L be- 
fore N, and it computes * proj; and ~pro4z2 exactly once. The 
second term does not reduce L to a value before reducing N, 
and depending on how many times and where x and y appear 
in N, it may reduce L many times or not at all, and it may com- 
pute ~projiand * pro jz many times or not at all. 


We can also translate back the other way: 


(‘proj1 L) + = casex (L +) [( x, y > x ] 
(‘proj2 L) + = casex (L#) [( x, y yy ] 
Sums 
Syntax 
Bip? Bi 6 Sh] " Boas Types 

AUB sum type 
L, M, N = .. Terms 

~inji M inject 
first component 

“inj2 N inject 
second component 

caseY L [inji xX > M Jinjez y PN ] case 
Vy We 2t= wis Values 

“inji V inject 
first component 

“inje W inject 


second component 


TEFEMS8A 

a a cd ‘injas or W-T4 
TF cinja M8 ACU B 

TEFN8B 

SS SSSe a Se ee “inje or W-Is 


or W-E 
TF caseU L [inji x > M Jinjz2y >N] 8C 


Reduction 


E-caselWJ 
caseW L [inji x > M linj2 y > N ] — caseW L’ 
[inji x > M jinjz2 y ON ] 


B-inj1 
caseY (‘inji V) [inji x > M Jinj2 y > NJ] —~-M(l[ 


caseWU (‘inj2 W) [inji x > M Jjinjz y > NJ] —-N 


Example 


Here is a function to swap the components of a sum: 


swapU : OFA WUBRA> BUA 
swapU = A z > caseld z 
[inja xX > “inj2 x 
jinj2 y > “inj y ] 


Unit type 
For the unit type, there is a way to introduce values of the type 


but no way to eliminate values of the type. There are no reduc- 
tion rules. 


Syntax 
Ayo By (OO RSS eecesd Types 

T unit type 
L, M, N ::=... Terms 

a tet unit value 
WV Wee = eas 8 Values 

Both unit value 
Typing 


- “tt or T-I 
Te “per 3? 1 


Reduction 
(none) 


Example 


Here is the isomorphism between Aand A ~>x *T: 


toxT : O@rFARDA*xK -T 
toxT =Ax> (x, “tt ) 


fromxT : OFA*x “TOA 
fromxT =A z> ‘proj z 


Alternative formulation of unit type 


There is an alternative formulation of the unit type, where in 
place of no way to eliminate the type we have a case term that 
binds zero variables. We repeat the syntax in full, but only give 
the new type and reduction rules: 


Syntax 
Ay By (Cs S28) eee Types 
an unit type 
L, M, N = Terms 
FEE unit value 
~casel L [tt™> N ] case 
Veo WW eS eo Values 
“EE unit value 
Typing 
TE Res, cd ehh 
TFMB8A 


- - - casel or T-E 
TF caselT L [tt> M] 8A 


Reduction 


L— L! 


E-caseT 
casel L [tt™ M ] — caseT L’ [tt™>™M ] 


casel “tt [tt> M]—™M 
Example 


Here is half the isomorphism between A and A *~x ~*T rewrit- 
ten in the new notation: 


fromxT-case : OFA*x *‘TOPRA 
fromxT-case = A z > casex z 
[( x , y )™ caseT y 
[tt> x ] ] 


Translation 


We can translate the alternative formulation into one without 
case: 


(caselT L [tt> M]) t = “let z*= (L ft) “in (M 
T) 


Here z is a variable that does not appear free in M. 


Empty type 


For the empty type, there is a way to eliminate values of the type 
but no way to introduce values of the type. There are no values 
of the type and no f rule, but there is a € rule. The case con- 
struct plays a role similar to L-elim in Agda: 


Syntax 
A, By (©. 3. 3" shes Types 

Sul empty type 
L, M, N ::=... Terms 

casel L [] case 


Typing 


eee ee casel or L-E 


TF casel L [] 8A 

Reduction 

L— L’ 

Se ee a E-casel 
casel L [] — casel L’ [] 
Example 


Here is the isomorphism between Aand A ~WU ~L: 


toJL : GFAP A CUCL 
toJl =Ax > “inj x 


fromuUL : OFA CUCLIA 
fromlUl = Az > casei z 
[inja x > x 
| inj y = casel y 


CL. al 


Lists 
Syntax 
A, B, C So eae Types 
“List A list type 
Thy Ma Ne eB oes Terms 
Psilil nil 
M ciiNn cons 
caseL L [[]> M | xo y PN ] case 
Vig War ee os, bcs Values 
~[] nil 


Voi W cons 


SSS SSeS SRR SSH aP ~[] or List-I4 


SeSasSsSsrsasaSSSoa= -_ or List-I2 


List—-E 
TF caseL L [(]>M |xtxs >N] 8B 


Reduction 


E-caseL 
caseL L [[]> M | x :} xs > N ] — caseL L’ [[]9 
M|xixs >N ] 


[]> M x u0oxs > N]——-N(Ox 


Example 


Here is the map function for lists: 


mapL : @F (A > B) > “List A > “List B 
mapL =pmL >AfxAxs > 
caseL xs 
Lip? CI 


| xsixs 3 f+ x mL + f+ xs ] 
Formalisation 


We now show how to formalise 


* primitive numbers 

* let bindings 

* products 

* an alternative formulation of products 


and leave formalisation of the remaining constructs as an exer- 
cise. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 

open Eq using ( = ; refl) 

open import Data.Empty using (1; L-elim) 

open import Data.Nat using (N; zero; suc; * ; <; s? ; zsn; sss) 
open import Relation.Nullary using (-_) 


open import Relation.Nullary.Decidable using (True; toWitness) 


Syntax 


infix 4 F. 
infix 4 9. 
infixl 5 _,_ 


Intixr 7 = 


infixr 9 *x_ 


infix 5 X_ 


infix 5 w_ 

infixl 7 -_ 

infixl @ oo. 
infix “suc_ 
infix . 
infix 
infix 


oOoOnowon 


5. 
# 
Types 


data Type : Set where 
*N : 


Type 
a : Type - Type - Type 
Nat : Type 


“ae : Type - Type - Type 
Contexts 


data Context : Set where 
@ : Context 
_,_ 1: Context > Type - Context 


Variables and the lookup judgment 


data 3: Context - Type - Set where 


Z:V {TF A} 


“3T 3B 


Terms and the typing judgment 


data _-+_: Context - Type - Set where 


-- variables 


-PF RB 
-- naturals 


“zero : WV {PF} 


-- primitive numbers 


con: V {fT} 
oN 


L 
5 
T 
= 
o 
ct 


“let : V {fT A B} 


-- products 


“(_,_) : V {PF A B} 


wL> 


>TRA’xB 


->PFEA xB 


-- alternative formulation of products 


casex : V {Ff AB C} 
>TrRA’xB 


Abbreviating de Bruijn indices 


length : Context +N 

length 2 = zero 

length (— , _) = suc (length I) 

lookup : {Ff : Context} - {n : N} = (p : n < lengthT) - Type 
lookup {(_ , A)} {zero} (sss zsn) = A 

lookup {(F , _)} {(suc n)} (sss p) = lookup p 

count : V {f} > {n : N} - (p : n< lengthT) +f 35 lookup p 
count {_ , _} {zero} (sss zsn) = Z 

count {Ff , } {(suc n)} (sss p) = S (count p) 


# =: V {IT} 
> (n: N) 


- {nf 


: True (suc n s? length [)} 


+~T + lookup (toWitness néf ) 


# =n {nef} 


Renaming 


* count (toWitness nef ) 


rename : V { 


Z 
S (p x) 


T A} 


r,AIBA,A3IB) 


> (V {A} - fT 3A3A3 A) 


> (V {A} -T FAS AFA) 


rename p (° x) 
rename p (X N) 
rename p (L : M) 
rename p (zero) 
rename p (‘suc M) 
rename p (case L M N) 
rename p (uy N) 
rename p (con n) 
rename p (M ** N) 
rename p (‘let M N) 
rename p “(M,N ) 
rename p (‘proji L) 
rename p ( proj2 L) 
rename p (casex L M) 


~ (p x) 

K (rename (ext p) N) 

(rename p L) - (rename p M) 

“zero 

“suc (rename p M) 

case (rename p L) (rename p M) (rename (e 
(rename (ext p) N) 

con n 

rename p M °* rename p N 

“let (rename p M) (rename (ext pe) N) 

“( rename p M , rename p N ) 

“proji (rename p L) 

‘proj2 (rename p L) 

casex (rename p L) (rename (ext (ext p)) 


Simultaneous Substitution 


exts : 
exts o Z 
exts o (S x) 


subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 
subst 


10) 
10) 
10) 
10) 
10) 
10) 
10) 
10) 
10) 
10) 
10) 
10) 
10) 
10) 


x 


V {fF A} - (V {A} =F S3ASAFE A) = (V {AB} OT ,ASBBR-A 
Z 
rename S_ (6 x) 


A} - (V {C} -F SC 2AFC) - (V {C} -F FOCAL C) 
k 


o} 
K (subst (exts o) N) 

(subst o L) + (subst o M) 

“zero 

“suc (subst o M) 

case (subst o L) (subst o M) (subst (exts 
wu (subst (exts o) N) 

con n 

subst o M ~* subst o N 

“let (subst o M) (subst (exts o) N) 

*( subst o M , subst oN ) 

“proji (subst o L) 

“projz (subst o L) 

casex (subst o L) (subst (exts (exts o)) b 


Single and double substitution 


substZero 


substZero V Z 
substZero V (S x) 


A AO 


Chor ,A 


C} 


= W 


>: V{}{A B} ->T FAOPT ,ASBHT EB 
V 


subst {f , A} {ff} (substZero V) N 


[} {A} {B} NV W= subst {fF , A, B} {fT} oN 


BIC-FFEC 


nrH 
x< 

oil 
x< 


Values 


data Value : V {f A} > fF FA = Set where 
-- functions 


V-X :V {fT AB} {N: Tf , AF B} 


- Value (X N) 
-- naturals 


V-zero : V {I} 


> Value (‘zero {}) 


V-suc_: V {Ff} {V: FF N} 
> Value V 


+ Value (“suc V) 
-- primitives 
V-con : V {fF n} 
+ Value (con {°} n) 
-- products 
V-(_, ) : V {fF A B} {V : TF + A} {W: T F B} 


+ Value V 
~ Value W 


Implicit arguments need to be supplied when they are not fixed 
by the given arguments. 


Reduction 


infix 2 _—_ 


data — : V {f A} - (TF A) = (F F A) = Set where 
-- functions 


E--1 : V {fF A B} {L L’ : F FA = BY} {M: FT + A} 
-~L—L’ 


E--2 : V {F A B} {V: PF FA = B} {MM : FEL A} 
~ Value V 


B-X : V {—f A B} {N:F , At B} {V: TF A} 
> Value V 


> (XN) -V—ONEV] 
-- naturals 


E-suc : V {Tf} {MM : FF ‘N} 
-~M—WM 


> “suc M— “suc M’ 


—-case : V {f A} {L L’ : F & ‘N} {M: PT FA} {N: TF , “NE A} 
-~L—L’ 


~ case LMN— case L’ MN 


B-zero : V {fF A} {M: fT FA} {N:T , “NF A} 


~ case “zeroMN—M 


B-suc : V {f A} {V: FT & ‘N} {M: F + A} {N: F , “NE A} 
> Value V 


> case (‘suc V)MN—N[V ] 
-- fixpoint 


>~UN—>NIT UN] 


-- primitive numbers 


&-*1 : V {7} {L L’ M: FT & Nat} 
-L—-L’ 


*2 : V {7} {VMM’ :T - Nat} 


6-* : V {Ff c d} 


> con {[f} c ** con d — con (c * d) 


-- let 


&E-let : V {fF AB} {MM : Tf & A} {N: FT , AF B} 


->M— M’ 


- ‘let MN — ‘let MN 


B-let : V {Ff AB} {V: PF + A} {N: FT , AF B} 
~ Value V 


> ‘let VN—N[V] 
-- products 


E-(,)1 : V {fF A B} {MM : T & A} {N: T & B} 
-M—M’ 


E-(,)2 : V {fF A B} {V : T & A} {NN’ : T FB} 


E-proji : V {fF A B} {LL’ : TFA °x B} 
s>L—L’ 


> ‘proji L — ‘proji L’ 


E-projz : V {Ff A B} {LL’ : TFA *x B} 


> ‘projz L — “proj2 L’ 


B-proji : V {f A B} {V: T + A} {W: T + B} 
~ Value V 
~ Value W 


B-proj2 : V {f A B} {V: TF F A} {W: T F B} 


-- alternative formulation of products 


E-casex : V {Ff ABC} {LL’ : FRA ‘x B} {M:F ,A,BEC} 
-L—-L’ 


> casex L M — casex L’ M 


B-casex : V {fF ABC} {V: PF + A} {W: F + B} {M:F ,A, BE C} 
~ Value V 
~ Value W 


Reflexive and transitive closure 


infix 2 —_ 
infix 1 begin_ 
infixr 2 —(_) 
infix 3 I 


data —» {f A}: (F F A) > ([ F A) > Set where 


4). 7 (be PRA) QM Ne Pe AY 


begin : V {f A} {MN:T + A} 
~M—N 


>M—+N 
begin M—-+-N = M—-N 


Values do not reduce 


V-—— : V {PF A} {MN: TF A} 
~ Value M 


V-— \V-zero 
V-—— VM M—M’ 


vo 
= 
(@] 
= 
ll 


V-— \V-con 
V-— VM M—M’ 
V-— VN NN’ 


Progress 


data Progress {A} (M: @+- A) : Set where 


step : V {N : @F A} 
~M—N 


- Progress M 


progress : V {A} 
> (M:i@F 
- Progress M 
progress (* ()) 
progress (X N) = done V-X 


progress 


progress 
progress 


progress 


progress 
progress 
progress 


progress 


progress 


progress 


progress 


progress 


(L_ + M) with progress L 
step L—L’ 
done V-X with progress M 
| step M—M’ 
| done VM 
(zero) 
(*suc M) with progress M 
step M—M’ 
done VM 


(case L MN) with progress L 


step L—L’ 
done V-zero 
done (V-suc VL) 
(u N) 
(con n) 
(L ** M) with progress L 
step L—L’ 
done V-con with progress 
| step M—M’ 
| done V-con 
(“let MN) with progress 
step M—M’ 
done VM 
“(M,N ) with progress 
step M—M’ 
done VM with progress N 
| step N-N’ 
| done VN 
(*proji L) with progress 
step L—L’ 
done (V-( VM , VN )) 
(*projz L) with progress 
step L—L’ 
done (V-( VM , VN )) 


(casex L M) with progress L 


step L—L’ 
done (V-( VM , VN )) 


Evaluation 


record Gas : Set where 
constructor gas 


field 


amount : N 


data Finished {f A} (N: TF A) 


: Set where 


step 


step 
step 
done 


step 
done 


step 
step 
step 
step 
done 


step 


step 
step 


step 
step 


step 


step 
done 


step 
step 


step 
step 


step 
step 


(€-+1 LL’) 


(E-+2 V-K MM’ ) 
(B-A VM) 
V-zero 


(E-suc M—-M’) 
(V-suc VM) 


(&-case L—L’ ) 
B-zero 

(B-suc VL) 

B-y 


V-con 
(E&-*1 LL’) 


(E&-*2 V-con M—\ 
6-* 


(§-let M—M’ ) 
(B-let VM) 


(é>{,)a TM") 


(§-(,)2 VM NN’ 
(V-( VM, VN )) 


(€&-proji L—-L’) 
(B-proji1 VM VN) 


(E-projz L—-L’) 
(B-projz2 VM VN) 


(&-casex L—-L’ ) 
(B-casex VM VN) 


done : 
Value N 


~ Finished N 


out-of-gas : 


Finished N 
data Steps {A} : 2+ A = Set where 


steps : {LN : oF A} 
>~L—oN 
~ Finished N 


> Gas 


> Steps L 
eval (gas zero) L 
eval (gas (suc m)) L with progress L 
| done VL 
| step {M} L—M with eval (gas m) M 
| steps M-N fin 


steps (L #) out-of-gas 


steps (L #) (done VL) 


steps (L —( L-—=M ) Men 


Examples 


—( B-X V-con } 


~ Tr 
= 
’ fed} 
ct 
u 
= 
fed} 
ct 


(“let (#0 °* # 2) 
(# 0 ** #0)))) 


— : expl0 + con 2 — con 1024 


begin 
expl0 - con 2 
—( B-X V-con ) 
“Let (con 2 “* con 2) (‘let (# 0 ** #0) (‘let (#0 ** con 2) (A 
—( &—-let 6-* ) 
“Let (con 4) (‘let (# 0 “* #0) (‘let (# 0 “* con 2) (#0 “* #€ 
—( B-let V-con ) 
“Let (con 4 “* con 4) (‘let (# 0 ** con 2) (# 0 °* # 0)) 
—( &—-let 6-* ) 
“Let (con 16) (‘let (# 0 ** con 2) (# 0 “* # 0)) 
—( B-let V-con ) 
“let (con 16 “* con 2) (# 0 “* # 0) 
—( &—-let 6-* ) 
“Let (con 32) (# 0 ** # 0) 
—( B-let V-con ) 
con 32 ** con 32 
—( 6-* ) 
con 1024 
| 


swapx : V {AB} >@FA*xB=>=B ox A 
swapx = X “( ‘proj2 (#0) , ‘proji (#0) ) 


_ : swapx + “( con 42 , “zero ) —» “( “zero , con 42 ) 


begin 
swapx : “{ con 42 , “zero ) 
—( B-X V-( V-con , V-zero ) ) 
“{ “projz “{ con 42 , ‘zero ) , ‘proji *( con 42 , “zero ) ) 
—( &-(,)1 (B-projz V-con V-zero) ) 
“( “zero , “proji ~{ con 42 , “zero ) ) 
—( &-(,)2 V-zero (B-proji V-con V-zero) ) 
*( “zero , con 42 ) 
a 


swapx-case : V {AB} >@FA°xB=B 
Swapx-case = X casex (#0) “(#0,#1 ) 


_ 1 swapx-case + “( con 42 , “zero ) —» “{ “zero , con 42 ) 


begin 
Swapx-case : “( con 42 , “zero ) 
—({ B-X V-( V-con , V-zero ) ) 
casex *( con 42 , ‘zero ) “(#0,#1) 
—( B-casex V-con V-zero } 
‘( “zero , con 42 ) 
| 


Exercise More (recommended and practice) 


Formalise the remaining constructs defined in this chapter. Make 
your changes in this file. Evaluate each example, applied to data 
as needed, to confirm it returns the expected answer: 


sums (recommended) 

unit type (practice) 

an alternative formulation of unit type (practice) 
empty type (recommended) 

lists (practice) 


Please delimit any code you add as follows: 


-—- begin 
-- end 


Exercise double-subst (stretch) 


postulate 
double-subst : 
Vif ABC} {V: FFA} {W: FT + B} {N: F ,A,BEC}HRH 
NCE V][W]#(N[ rename S W])[V ] 


Note the arguments need to be swapped and Ww needs to have its 
context adjusted via renaming in order for the right-hand side to 


be well typed. 


Test examples 


two: V {fT} -F FON 
two = “suc ‘suc “zero 


plus : V {fF} -—f KF N= “N= N 
plus = u X X (case (#1) (# 0) (‘suc (#3: #0: #1))) 


242: V {TF} -T FON 
2+2 = plus : two : two 


Ch : Type - Type 
ChA = (A=A)sA2A 


twoc : V {fT A} >F FECHA 
twoc = XX (#1: (#1: #0)) 


pluss : V {Ff A} = ee 
pluss=XXXX (#3-#1-+ (#2+#1-+#0)) 


succ : V {fF} > PF FE N=  N 
succ = X “suc (# 0) 


242° : V {Tf} -F FON 


2+2° = plus® - twos + twos : suc® : “zero 


Unicode 


This chapter uses the following unicode: 


fo) U+03C3 GREEK SMALL LETTER SIGMA (\Gs or 
\sigma) 

+ U+2020 DAGGER (\dag) 

+ U+2021 DOUBLE DAGGER (\ddag) 


We import our source language from Chapter More: The simula- 
tion is a straightforward formalisation of the rules in the intro- 
duction: We need a number of technical results. The first is that 
simulation commutes with values. That is, if M ~ Mt and Misa 
value then Mt is also a value: The proof first requires we estab- 
lish an analogue of extension. If o and ot both map any judg- 
ment T > Atoajudgment A | A, such that for every xin I 
> Awehave o x ~ ot x, thenforany xin T , B > Awe 
have exts o x ~ exts ot x: With extension under our 
belts, it is straightforward to show substitution commutes. If o 
and ot both map any judgment Tr > Atoajudgment A | A, 
such that for every x in T > Awehave o x ~ ot x, andif 
M ~ Mt, then subst o M ~ subst ot Mt: From the general 
case of substitution, it is also easy to derive the required special 
case. If N ~ Nt and M ~ Mt,then N [M ] ~ Nt [ Mt ]: 
We first formulate a concept corresponding to the lower leg of 
the diagram, that is, its right and bottom edges: We can now 
state and prove that the relation is a simulation. Again, in this 
case, we can use a stronger relation than —>, replacing it by — 


=> 


Bisimulation: Relating reduction sys- 
tems 


module plfa.part2.Bisimulation where 


Some constructs can be defined in terms of other constructs. In 
the previous chapter, we saw how let terms can be rewritten as 
an application of an abstraction, and how two alternative formu- 
lations of products — one with projections and one with case — 
can be formulated in terms of each other. In this chapter, we 
look at how to formalise such claims. 


Given two different systems, with different terms and reduction 
rules, we define what it means to claim that one simulates the 
other. Let’s call our two systems source and target. Let M, N 
range over terms of the source, and Mt, Nt range over terms of 


the target. We define a relation 
M ~ Mt 


between corresponding terms of the two systems. We have a sim- 
ulation of the source by the target if every reduction in the source 
has a corresponding reduction sequence in the target: 


Simulation: For every M, Mt, and N: If M ~ Mt and M — N 
then Mt —~> Nt and N ~ Nt forsome Nt. 


Or, in a diagram: 


| 
| 
| 
| 
Mt --- —» --- Nt 


Sometimes we will have a stronger condition, where each reduc- 
tion in the source corresponds to a reduction (rather than a re- 
duction sequence) in the target: 


This stronger condition is known as lock-step or on the nose simu- 
lation. 


We are particularly interested in the situation where there is also 
a simulation from the target to the source: every reduction in the 
target has a corresponding reduction sequence in the source. In 
other words, ~ is a simulation from source to target, and the 
converse of ~ is a simulation from target to source: this situation 


is called a bisimulation. (In general, if < and > are arbitrary rela- 
tions such that x < y ifandonlyif y > x then we say that < 
and > are converse relations. Hence, if ~ is a relation from 
source to target, its converse is a relation from target to source.) 


Simulation is established by case analysis over all possible reduc- 
tions and all possible terms to which they are related. For each 
reduction step in the source we must show a corresponding re- 
duction sequence in the target. 


For instance, the source might be lambda calculus with let added, 
and the target the same system with let translated out. The key 
rule defining our relation will be: 


M ~ Mt 
N ~ Nt 


let x =MinN~ (A x > Nt) - Mt 


All the other rules are congruences: variables relate to them- 
selves, and abstractions and applications relate if their compo- 
nents relate: 


Ax >N~Ax > Mt 


Lo~ Lt 
M ~ Mt 


L+M~ Lt - Mt 


Covering the other constructs of our language — naturals, fix- 
points, products, and so on — would add little save length. 


In this case, our relation can be specified by a function from 
source to target: 


(x) + = 


xX 
(A x > N) t = Kx = (Nt) 
(L + M) ft = (le 1) (M t) 
(let x =MinN) t = (A x > (N t)) (M t+) 


And we have 


and conversely. But in general we may have a relation without 
any corresponding function. 


This chapter formalises establishing that ~ as defined above is a 
simulation from source to target. We leave establishing it in the 
reverse direction as an exercise. Another exercise is to show the 
alternative formulations of products in Chapter More are in 
bisimulation. 


Imports 
open import plfa.part2.More 
Simulation 


infix 4 ~_ 
infix 5 ~K_ 
infix 7 o~-_ 


data ~ : V {f A} > (F F A) > ([ F A) = Set where 


~ : V {PF A} {x : TF 3 A} 


~K_:V {f AB} {NNt:T , AF B} 
> N ~ Nt 


~  : V {T AB} {L Lt : [ + A= B} {MMt: TF A} 


~let : V {fF A B} {MMt: PF FA} {NNt: TF , AF B} 
> M ~ Mt 


The language in Chapter More has more constructs, which we 
could easily add. However, leaving the simulation small lets us 
focus on the essence. It’s a handy technical trick that we can 
have a large source language, but only bother to include in the 
simulation the terms of interest. 


Exercise _+ (practice) 


Formalise the translation from source to target given in the intro- 
duction. Show that M +t = Nimplies M ~ N, and conversely. 


Hint: For simplicity, we focus on only a few constructs of the 
language, so _t+t should be defined only on relevant terms. One 
way to do this is to use a decidable predicate to pick out terms in 
the domain of _ +, using proof by reflection. 


-- Your code goes here 


Simulation commutes with values 


~val : V {fF A} {M Mt: T - A} 
> M~ Mt 
~ Value M 
> Value Mt 
~val ~* () 
~val (~X ~N) V-X = V-X 
~val (~L ~: ~M) () 
~val (~let ~M ~N) () 


It is a straightforward case analysis, where here the only value of 


interest is a lambda abstraction. 
Exercise ~val™: (practice) 


Show that this also holds in the reverse direction: if M ~ Mt and 
Value Mt then Value M. 


-- Your code goes here 


Simulation commutes with renaming 


The next technical result is that simulation commutes with re- 
naming. That is, if o maps any judgment T > A to a judgment 
A > A,andif M ~ Mt then rename p M ~ rename p Mt: 


~rename : V {fF A} 
>(p:V {A} -F 3A>A3 A) 


> (V {A} {M Mt : T & A} > M ~ Mt = rename p M ~ rename p Mt) 


~rename p (~°) = ~ 

~rename p (~X ~N) = ~XK (~rename (ext p) ~N) 

~rename p (~L ~: ~M) = (~rename p ~L) ~: (~rename p ~M) 
~rename p (~let ~M ~N) = ~let (~rename p ~M) (~rename (ext p—) 


The structure of the proof is similar to the structure of renaming 
itself: reconstruct each term with recursive invocation, extending 
the environment where appropriate (in this case, only for the 
body of an abstraction). 


Simulation commutes with substitution 


The third technical result is that simulation commutes with sub- 
stitution. It is more complex than renaming, because where we 
had one renaming map op here we need two substitution maps, 
oand ot. 


~exts : V {f A} 

>fo : V{A} oT 5A 
> fot : V {A} -T 5A 
> (VW {A} = (x :T3A 


~N) 


~exts ~o Z 


> (V {A B} = (x : T , B53 A) = exts o x ~ exts ot x) 
~exts ~o (S x) = 


~rename S_ (~o x) 
The structure of the proof is similar to the structure of extension 
itself. The newly introduced variable trivially relates to itself, 


and otherwise we apply renaming to the hypothesis. 


~subst : V {f A} 


~ fo :Vf{A}sF JASAF A} 
~ fot : V {fA} -F J3ASAF A} 
> (V {A} - (x :F 3 A) > 6 x ~ of x) 


> (WV {A} {M Mt : [ & A} > M ~ Mt > subst o M ~ subst ot Mt) 


~subst ~o (~ {x = x}) = ~oxX 

~subst ~o (~X ~N) = ~X (~subst (~exts ~o) ~N) 

~subst ~o (~L ~: ~M) = (~subst ~o ~L) ~: (~subst ~o ~M) 

~subst ~o (~let ~M ~N) = ~let (~subst ~o ~M) (~subst (~exts ~o) ~K 


Again, the structure of the proof is similar to the structure of sub- 
stitution itself: reconstruct each term with recursive invocation, 
extending the environment where appropriate (in this case, only 
for the body of an abstraction). 


~sub : V {Ff AB} {NNt: fF , Br A} {MMt: F + B} 
> N~ Nt 


> (N[ M ]) ~ (Nt [ Mt J) 

~sub {[} {A} {B} ~N ~M = ~subst {f , B} {ff} ~o {A} ~N 
where 
~o : V {A} > (x: TF ,B3A) 3 _ ~ | 

~M 


~o (S x) 
Once more, the structure of the proof resembles the original. 
The relation is a simulation 
Finally, we can show that the relation actually is a simulation. In 


fact, we will show the stronger condition of a lock-step simula- 
tion. What we wish to show is: 


Lock-step simulation: For every M, Mt, and N: If M ~ Mt and M 
—+ Nthen Mt —> Nt and N ~ Nt forsome Nt. 


Or, in a diagram: 


data Leg {Ff A} (Mt N: 


leg : 


> Leg Mt N 


T+ A) 


VY {Nt : T & A} 


: Set where 


For our formalisation, in this case, we can use a stronger relation 
than ——, replacing it by —. 


> M ~ Mt 


sim (~L ~: 
with sim ~L L— 
| leg ~L’ Lt— 
sim (~V ~: 
with sim ~M M-> 
... | leg ~M’ Mt— 
sim ((~X ~N) ~: 
sim (~let ~M ~N) 
with sim ~M M-> 
... | leg ~M’ Mt— 
sim (~let ~V ~N) 


: V {T A} {M Mt N 


: [T - A} 


(B-let VW) 


leg (~L’ ~: ~M) (E-+1 Lt) 
leg (~V ~: ~—M’) (E-+2 (-val 
leg (~sub ~N ~V) (B-A (-val 


leg (~let ~M’ ~N) (E-:2 V-X I 
leg (~sub ~N ~V) (B-A (-val 


The proof is by case analysis, examining each possible instance of 
M ~ Mt and each possible instance of M —> Mt, using recursive 
invocation whenever the reduction is by a € rule, and hence 
contains another reduction. In its structure, it looks a little bit 
like a proof of progress: 


* If the related terms are variables, no reduction applies. 
* If the related terms are abstractions, no reduction applies. 


* If the related terms are applications, there are three sub- 
cases: 


© The source term reduces via &--1, in which case the 
target term does as well. Recursive invocation gives 
us 


Se Eee ATT 
| 
| 
| 


L 
| 
| 
| 
| 
Lt --- —> --- L't 


from which follows: 


—_— 2 —— 


Lt + Mt --- —+ --- L’t + Mt 


© The source term reduces via £&--2, in which case the 
target term does as well. Recursive invocation gives 
us 


| | 
| | 
| | 
Mt --- —> --- M’t 
from which follows: 
Vv 


M --- — --- V-: M’ 


| | 
| | 
Vt + Mt --- —+ --- Vt + M't 


Since simulation commutes with values and v is a 
value, Vt is also a value. 


© The source term reduces via B8-A, in which case the 
target term does as well: 


(Ax > N) - Vo---—~--- NOE x:=V 
] 


| | 

| | 
(A x > Nt) + Vt --- — --- Nt [ x 
Vt ] 


Since simulation commutes with values and vV is a 
value, Vt is also a value. Since simulation com- 
mutes with substitution and N ~ Nt and V ~ vt, 
we have N [ x :=V]~Nt [ x := Vt ]. 


* If the related terms are a let and an application of an ab- 
straction, there are two subcases: 


© The source term reduces via &-let, in which case 


the target term reduces via &--2. Recursive invoca- 
tion gives us 


| 
| 
| 
| 
—_—- 2 ——_ kz 


M 
| 
| 
| 
| 

M 


tf --- > --- M’t 


from which follows: 


let x =MinwN > let x = M’ in 
N 

| | 

| | 

| | 

| | 
(A x > N) + M --- — --- (A x > N) 
M! 


The source term reduces via B-let, in which case 
the target term reduces via B-A: 


let x = Vin WN ---—~ --- N [| x := V 
] 


| | 
| | 
(A x > Nt) + Vt --- —+ --- Nt [ x := vt 


] 


Since simulation commutes with values and vV is a 
value, vt is also a value. Since simulation com- 
mutes with substitution and N ~ Nt and Vv ~ vt, 
we have N [ x :=V]~Nt [ x := Vt ]. 


Exercise sim} (practice) 


Show that we also have a simulation in the other direction, and 
hence that we have a bisimulation. 


-- Your code goes here 


Exercise products (practice) 


Show that the two formulations of products in Chapter More are 
in bisimulation. The only constructs you need to include are vari- 
ables, and those connected to functions and products. In this 
case, the simulation is not lock-step. 


-- Your code goes here 


Unicode 


This chapter uses the following unicode: 


+ U+2020 DAGGER (\dag) 
~  U+207B SUPERSCRIPT MINUS (\%*-) 
1 U+00B9 SUPERSCRIPT ONE (\%1) 


Identifiers, types, and contexts are as before:The syntax of terms 
is defined by mutual recursion. We use Term* and Term for 
terms with synthesized and inherited types, respectively. Note 
the inclusion of the switching forms, M | A and M +t: We can 
recreate the examples from preceding chapters. First, computing 
two plus two on naturals: Next, computing two plus two with 
Church numerals: The typing rules for variables are as in 
Lambda:As with syntax, the judgments for synthesizing and in- 
heriting types are mutually recursive: The rule for M +t requires 
the ability to decide whether two types are equal. It is straight- 
forward to code:We will also need a couple of obvious lemmas; 
the domain and range of equal function types are equal:We will 
also need to know that the types ~N and A => B are not equal: 
Looking up a type in the context is unique. Given two deriva- 
tions, one showing IT > x 8 Aand one showing TI > x 8 B, it 
follows that A and B must be identical: Synthesizing a type is 
also unique. Given two derivations, one showing T -/ Mt A 
and one showing [| M + B, it follows that A and B must be 
identical: Given I and two distinct variables x and y, if there is 
no type A such that T 3 x 8 A holds, then there is also no 
type Asuch that Tr , y 8 B 3 x 8 A holds: Given a context 
T and a variable x, we decide whether there exists a type A 
such that T 3 x 8 Aholds, or its negation: If TF Lt A => 
B holds but Tr - M 4 A does not hold, then there is no type B’ 
such that TF L - Mt B’ holds: If TM +t Aholdsand A 
# B,then Tr - (M +t) J B does not hold: The table has been 
set and we are ready for the main course. We define two mutu- 
ally recursive functions, one for synthesis and one for inheri- 
tance. Synthesis is given a context I’ and a synthesis term M and 
either returns a type A and evidence that Tr - M t A, or its 
negation. Inheritance is given a context I, an inheritance term 
M, and a type A and either returns evidence that T - M 4 A, 
or its negation:We first consider the code for synthesis: We next 
consider the code for inheritance: First, we copy the smart con- 
structor S’ introduced earlier that makes it easy to access a vari- 
able in a context:Here is the result of typing two plus two on nat- 
urals:We confirm that synthesis on the relevant term returns nat- 
ural as the type and the above derivation: Here is the result of 
typing two plus two with Church numerals:We confirm that syn- 


thesis on the relevant term returns natural as the type and the 
above derivation: Unbound variable:Argument in application is 
ill typed:Function in application is ill typed:Function in applica- 
tion has type natural:Abstraction inherits type natural:Zero in- 
herits a function type:Successor inherits a function type:Succes- 
sor of an ill-typed term:Case of a term with a function type:Case 
of an ill-typed term:Inherited and synthesised types disagree in a 
switch: First, we give code to erase a type: Next, we give the 
code to erase a context: Next, we give the code to erase a lookup 
judgment: Finally, we give the code to erase a typing judgment. 
Just as there are two mutually recursive typing judgments, there 
are two mutually recursive erasure functions: We confirm that 
the erasure of the type derivations in this chapter yield the corre- 
sponding intrinsically-typed terms from the earlier chapter: Most 
top-level definitions in Agda are of functions, which are typed by 
inheritance, which is why Agda requires a type declaration for 
those definitions. A definition with a right-hand side that is a 
term typed by synthesis, such as an application, does not require 
a type declaration. 


Inference: Bidirectional type inference 


module plfa.part2.Inference where 


So far in our development, type derivations for the correspond- 
ing term have been provided by fiat. In Chapter Lambda type 
derivations are extrinsic to the term, while in Chapter DeBruijn 
type derivations are intrinsic to the term, but in both we have 
written out the type derivations in full. 


In practice, one often writes down a term with a few decorations 
and applies an algorithm to infer the corresponding type deriva- 
tion. Indeed, this is exactly what happens in Agda: we specify the 
types for top-level function declarations, and type information 
for everything else is inferred from what has been given. The 
style of inference Agda uses is based on a technique called bidi- 
rectional type inference, which will be presented in this chapter. 


This chapter ties our previous developments together. We begin 


with a term with some type annotations, close to the raw terms 
of Chapter Lambda, and from it we compute an intrinsically- 
typed term, in the style of Chapter DeBruijn. 


Introduction: Inference rules as algorithms 


In the calculus we have considered so far, a term may have more 
than one type. For example, 


(A x > x) 8 (A => A) 


holds for every type A. We start by considering a small language 
for lambda terms where every term has a unique type. All we 
need do is decorate each abstraction term with the type of its ar- 
gument. This gives us the grammar: 


L, M, N ::= decorated 
terms 
x variable 
Ax 8 APN 
abstraction (decorated) 
L +: M 
application 


Each of the associated type rules can be read as an algorithm for 
type checking. For each typing judgment, we label each position 
as either an input or an output. 


For the judgment 
TDxé Aa 


we take the context T and the variable x as inputs, and the type 
A as output. Consider the rules: 


Z 


From the inputs we can determine which rule applies: if the last 
variable in the context matches the given variable then the first 
rule applies, else the second. (For de Bruijn indices, it is even 
easier: zero matches the first rule and successor the second.) For 
the first rule, the output type can be read off as the last type in 
the input context. For the second rule, the inputs of the conclu- 
sion determine the inputs of the hypothesis, and the output of 
the hypothesis determines the output of the conclusion. 


For the judgment 
rFEM8A 


we take the context I and term M as inputs, and the type A as 
output. Consider the rules: 


TFL&A>B 
T FM 8 A’ 
A = A! 


TFL+:M8B 


The input term determines which rule applies: variables use the 
first rule, abstractions the second, and applications the third. We 
say such rules are syntax directed. For the variable rule, the in- 
puts of the conclusion determine the inputs of the hypothesis, 
and the output of the hypothesis determines the output of the 
conclusion. Same for the abstraction rule — the bound variable 
and argument are carried from the term of the conclusion into 
the context of the hypothesis; this works because we added the 
argument type to the abstraction. For the application rule, we 
add a third hypothesis to check whether the domain of the func- 
tion matches the type of the argument; this judgment is decid- 


able when both types are given as inputs. The inputs of the con- 
clusion determine the inputs of the first two hypotheses, the out- 
puts of the first two hypotheses determine the inputs of the third 
hypothesis, and the output of the first hypothesis determines the 
output of the conclusion. 


Converting the above to an algorithm is straightforward, as is 
adding naturals and fixpoint. We omit the details. Instead, we 
consider a detailed description of an approach that requires less 
obtrusive decoration. The idea is to break the normal typing 
judgment into two judgments, one that produces the type as an 
output (as above), and another that takes it as an input. 


Synthesising and inheriting types 


In addition to the lookup judgment for variables, which will re- 
main as before, we now have two judgments for the type of the 
term: 


The first of these synthesises the type of a term, as before, while 
the second inherits the type. In the first, the context and term are 
inputs and the type is an output; while in the second, all three of 
the context, term, and type are inputs. 


Which terms use synthesis and which inheritance? Our approach 
will be that the main term in a deconstructor is typed via synthe- 
sis while constructors are typed via inheritance. For instance, the 
function in an application is typed via synthesis, but an abstrac- 
tion is typed via inheritance. The inherited type in an abstraction 
term serves the same purpose as the argument type decoration of 
the previous section. 


Terms that deconstruct a value of a type always have a main 
term (supplying an argument of the required type) and often 
have side-terms. For application, the main term supplies the 
function and the side term supplies the argument. For case terms, 
the main term supplies a natural and the side terms are the two 
branches. In a deconstructor, the main term will be typed using 


synthesis but the side terms will be typed using inheritance. As 
we will see, this leads naturally to an application as a whole be- 
ing typed by synthesis, while a case term as a whole will be 
typed by inheritance. Variables are naturally typed by synthesis, 
since we can look up the type in the input context. Fixed points 
will be naturally typed by inheritance. 


In order to get a syntax-directed type system we break terms into 
two kinds, Term* and Term’, which are typed by synthesis and 
inheritance, respectively. A subterm that is typed by synthesis 
may appear in a context where it is typed by inheritance, or vice- 
versa, and this gives rise to two new term forms. 


For instance, we said above that the argument of an application 
is typed by inheritance and that variables are typed by synthesis, 
giving a mismatch if the argument of an application is a variable. 
Hence, we need a way to treat a synthesized term as if it is inher- 
ited. We introduce a new term form, M +t for this purpose. The 
typing judgment checks that the inherited and synthesised types 
match. 


Similarly, we said above that the function of an application is 
typed by synthesis and that abstractions are typed by inheri- 
tance, giving a mismatch if the function of an application is an 
abstraction. Hence, we need a way to treat an inherited term as 
if it is synthesised. We introduce a new term form M ! A for 
this purpose. The typing judgment returns A as the synthesized 
type of the term as a whole, as well as using it as the inherited 
type for M. 


The term form M | A represents the only place terms need to be 
decorated with types. It only appears when switching from syn- 
thesis to inheritance, that is, when a term that deconstructs a 
value of a type contains as its main term a term that constructs a 
value of a type, in other words, a place where a §-reduction will 
occur. Typically, we will find that decorations are only required 
on top level declarations. 


We can extract the grammar for terms from the above: 


Lt, M, N ::= terms with 


synthesized type 


x variable 
L* + M application 
MdsSA switch to 
inherited 
L, M, N ?::= terms with 
inherited type 
A x> N 
abstraction 
~ zero zero 
“suc M successor 
case L* [zero> M |suc x > N ] case 
px>7> N fixpoint 
M* t+ switch to 
synthesized 


We will formalise the above shortly. 


Soundness and completeness 


What we intend to show is that the typing judgments are decid- 
able: 


synthesize : V ([ : Context) (M : Term’) 


> Dec (A[ A] TEFMt A) 


inherit : V (I: Context) (M : Term) (A: Type) 


> Dec (IT FM 1 A) 


Given context I and synthesised term M, we must decide 
whether there exists a type A such that T - M 1+ A holds, or 
its negation. Similarly, given context I, inherited term M, and 
type A, we must decide whether T - M 4 A holds, or its nega- 
tion. 


Our proof is constructive. In the synthesised case, it will either 
deliver a pair of a type A and evidence that T / M ! A,ora 
function that given such a pair produces evidence of a contradic- 


tion. In the inherited case, it will either deliver evidence that I 
F M t A, ora function that given such evidence produces evi- 
dence of a contradiction. The positive case is referred to as 
soundness — synthesis and inheritance succeed only if the corre- 
sponding relation holds. The negative case is referred to as com- 
pleteness — synthesis and inheritance fail only when they cannot 
possibly succeed. 


Another approach might be to return a derivation if synthesis or 
inheritance succeeds, and an error message otherwise — for in- 
stance, see the section of the Agda user manual discussing syn- 
tactic sugar. Such an approach demonstrates soundness, but not 
completeness. If it returns a derivation, we know it is correct; but 
there is nothing to prevent us from writing a function that always 
returns an error, even when there exists a correct derivation. 
Demonstrating both soundness and completeness is significantly 
stronger than demonstrating soundness alone. The negative proof 
can be thought of as a semantically verified error message, al- 
though in practice it may be less readable than a well-crafted er- 
ror message. 


We are now ready to begin the formal development. 
Imports 


import Relation.Binary.PropositionalEquality as Eq 
open Eq using ( = ; refl; sym; trans; cong; cong2; # ) 
open import Data.Empty using (1; L-elim) 

open import Data.Nat using (N; zero; suc; +; * ) 
open import Data.String using (String; = ) 


open import Data.Product using (_ x ; 4; d-syntax) renaming ( ,_ 


open import Relation.Nullary using (-_; Dec; yes; no) 


to ( 


open import Relation.Nullary.Decidable using (False; toWitnessFalse) 


Once we have a type derivation, it will be easy to construct from 
it the intrinsically-typed representation. In order that we can 
compare with our previous development, we import module 
plfa.part2.More: 


import plfa.part2.More as DB 


The phrase as DB allows us to refer to definitions from that 
module as, for instance, DB._F_, which is invoked as T DB.F 
A, where I’ has type DB.Context and A has type DB.Type. 


Syntax 


First, we get all our infix declarations out of the way. We list sep- 
arately operators for judgments and terms: 


infix 4 3.3 
infix 4 Fr. 
infix 4 Fa. 
SATUXE. B25 8. 
IntTixr: 7% S. 
infix 8 Xs_ 
infix 5 w= 
infix 6 1 
infix 6 _J_ 
infixl 7 _ 
infix 8 ‘suc 
infix 9 *_ 
Id : Set 
Id = String 
data Type : Set where 
*N : Type 
_= —: Type - Type - Type 


data Context : Set where 
@ : Context 
_,.8 : Context > Id > Type > Context 


data Term* : Set 
data Term- : Set 


data Term* where 


_ : Id > Term* 
Pan : Term* > Term- > Term* 
4 : Term- > Type > Term* 


data Term- where 


K = : Id = Term- > Term- 


“zero : Term- 
“suc. : Term- > Term- 
“case [zero= |suc = ] : Term* > Term- - Id > Term- => Term- 
> : Id = Term- > Term- 
t : Term*+ - Term- 


The choice as to whether each term is synthesized or inherited 
follows the discussion above, and can be read off from the infor- 
mal grammar presented earlier. Main terms in deconstructors 
synthesise, constructors and side terms in deconstructors inherit. 


Example terms 


two : Term- 
two = “suc (‘suc ~zero) 


plus : Term* 
plus = (u i ak Nh ae ke MA S 
“case (~ "m") [zeros * "n" + 
| Suc Win = “suc (~ "p" i ( My" t) « (~ 
4 (N= “N = *N) 


2+2 : Term* 
2+2 = plus : two « two 


The only change is to decorate with down and up arrows as re- 
quired. The only type decoration required is for plus. 


Ch : Type 
Ch = (N= -°N) > ‘No CN 


twos : Term- 
two* = (x Mgt = XK a = * We a c neu a (~ Me Al t) 1) tT) 


plus* : Term* 
plus‘ — (x Mngt = x “A” = x ee => x a da = 


SORE fae CP MS age ae (MB (RE ee. CS IN a a oa) 


4 (Ch = Ch = Ch) 


suc® : Term- 
suice =~. "x" = “sue (~ "xX" +t) 


242° : Termt 


2+2° = plus© : twos : twoc : suc® : “zero 


The only type decoration required is for plus‘. One is not even 
required for suc‘, which inherits its type as an argument of 
plus*. 


Bidirectional type checking 


data 3 8 : Context - Id - Type > Set where 


Z:V {0 x A} 


data _-+ 1: Context > Term* > Type > Set 
data _- 4: Context - Term - Type > Set 


data +1 where 
kK :V{PA 
x 8 


data + 4 where 


FA : V {Ff x NA B} 


tKcase : V {fF LM x N A} 
>FrRL+d N 
>FEMUA 
-F ,xs NENUA 


We follow the same convention as Chapter Lambda, prefacing 
the constructor with + to derive the name of the corresponding 
type rule. 


The rules are similar to those in Chapter Lambda, modified to 
support synthesised and inherited types. The two new rules are 
those for -1 and rt. The former both passes the type decora- 
tion as the inherited type and returns it as the synthesised type. 
The latter takes the synthesised type and the inherited type and 
confirms they are identical — it should remind you of the equal- 
ity test in the application rule in the first section. 


Exercise bidirectional-mul (recommended) 


Rewrite your definition of multiplication from Chapter Lambda, 
decorated to support inference. 


-- Your code goes here 


Exercise bidirectional-—products (recommended) 


Extend the bidirectional type rules to include products from 
Chapter More. 


-- Your code goes here 


Exercise bidirectional-rest (stretch) 


Extend the bidirectional type rules to include the rest of the con- 
structs from Chapter More. 


-- Your code goes here 


Prerequisites 


2Tp_ : (AB: Type) > Dec (A = B) 

N 2Tp “N = yes refl 

“N =Tp (A = B) = no A() 

(A = B) =Tp ‘N = no A() 

(A = B) =Tp (A’ = B’) 

with A =Tp A’ | B =Tp B’ 

| no Az | _ = no A{refl > A¥ refl} 
| yes _ | no Be = no A{refl > B¥ refl} 
| yes refl | yes refl = yes refl 


mM 
as 


dom= : V {AA BB’}3>A>BEzA’ =B’' oA 
dom= refl = refl 


rng= : V {A A’ BB’} > A>B=A’ =B’ +B =B’ 
rng= refl = refl 


N#> : V {A B} > N#A2=B 
N#= () 


Unique types 


uniq-9 : V {PT x AB} oT3x8A-T3Rx&8BaAE=B 
unig-3 ZZ = refl 

uniq-3 Z (S x#y _) = 1-elim (x#y refl) 
uniq-3 (S x#y _) Z = 1-elim (x#y refl) 
uniq-3 (S__ 3x) (S__ 3x’) = unig-3 3x 3x’ 


If both derivations are by rule Z then uniqueness follows imme- 
diately, while if both derivations are by rule s then uniqueness 
follows by induction. It is a contradiction if one derivation is by 
rule Z and one by rule S, since rule Z requires the variable we 
are looking for is the final one in the context, while rule S re- 
quires it is not. 


uniq-t : V{T MAB} OT FMtrASTRFM1B3A2B 


uniq-t (F 3x) (F 3x’) = uniq-3 3x 3x’ 
uniq-t (KL + EM) (HL’ + HM’) = rng= (uniq-t HL EL’) 
uniq-t (Fi FM) (Fu FM’) = refl 


There are three possibilities for the term. If it is a variable, 
uniqueness of synthesis follows from uniqueness of lookup. If it is 
an application, uniqueness follows by induction on the function 
in the application, since the range of equal types are equal. If it is 
a switch expression, uniqueness follows since both terms are dec- 
orated with the same type. 


Lookup type of a variable in the context 


-- (32 A]°T,y8B3x 8A) 
ext3 x¥y ss (A, Z>) = x#y refl 
ext -A4(A,S 3x) = 7A (A, 3x ) 


Given a type A and evidence that T , y 8 B 3 x 8 Aholds, 
we must demonstrate a contradiction. If the judgment holds by 
Z, then we must have that x and y are the same, which contra- 
dicts the first assumption. If the judgment holds by S _ 3x 


then >x provides evidence that T > x 8 A, which contradicts 
the second assumption. 


lookup : V (Ff : Context) (x : Id) 


~ Dec (AT A] F 3x8 A) 


lookup 2 x = no (A ()) 
lookup (F_, y $B) x with x 2 y 
| yes refl = yes (B,Z) 
| no x#y with lookup T x 
| no 7d no (ext x#y 74) 


| yes (A, 3x ) yes (A, S x#y 3x ) 


Consider the context: 
* If it is empty, then trivially there is no possible derivation. 


* If it is non-empty, compare the given variable to the most 
recent binding: 


© If they are identical, we have succeeded, with Z as 
the appropriate derivation. 


© If they differ, we recurse: 


M@ If lookup fails, we apply ext > to convert the 
proof there is no derivation from the contained 
context to the extended context. 


M@ If lookup succeeds, we extend the derivation 
with Ss. 


Promoting negations 


For each possible term form, we need to show that if one of its 
components fails to type, then the whole fails to type. Most of 
these results are easy to demonstrate inline, but we provide aux- 
iliary functions for a couple of the trickier cases. 


L M} 
B 


2-3 (3, Bo JT RL: Mt B’) 
sarg HL -HM ( B’ , FL’ = EM’ ) rewrite dom= (uniq-1t HL FL’) = 


Let FL be evidence that T F L +t A => B holds and —t™M be 
evidence that T - M | A does not hold. Given a type B’ and 
evidence that T F L - M t+ B’ holds, we must demonstrate a 
contradiction. The evidence must take the form FL’ - Fm’, 
where FL’ is evidence that T - L +t A’ => B’ and Fm’ is 
evidence that T -F M | A’. By unigq-t applied to FL and 
FL’, we know that A > B = A’ => B’, and hence that A = 
A’, which means that -FM and -M’ yield a contradiction. 
Without the rewrite clause, Agda would not allow us to derive 
a contradiction between -FM and FM’, since one concerns type 
A and the other type A’. 


aswitch : V {—f MA B} 
-~FEMtTA 


~>7PFF (Mt) 4B 
aswitch EM A#¥B (Ft EM’ A’=B) rewrite uniq-t FM HM’ = A#B A’=B 


Let FM be evidence that Tr - M + A holds, and A#B be evi- 
dence that A # B. Given evidence that r F (M t) J! B holds, 
we must demonstrate a contradiction. The evidence must take 
the form Ft FM’ A’=B, where FM’ is evidence that Tr F M 
t+ A’ and A’=B is evidence that A’ = B. By uniq-t applied 
to FM and FM’ we know that A = A’, which means that A#B 
and A’=B yield a contradiction. Without the rewrite clause, 
Agda would not allow us to derive a contradiction between A#B 
and A’=B, since one concerns type A and the other type A’. 


Synthesize and inherit types 


synthesize : V (fF : Context) (M : Term*) 


> Dec (AT AJ T EMTA ) 


inherit : V (F : Context) (M: Term-) (A : Type) 


=EM EP 


> Dec (I EF M4 A) 


synthesize [ (* x) with lookup F x 


| no 7-4 = no (A{ (A,r 3x) 37793 (A, 3x) } 
| yes (A, 2x ) = yes (A,F 3x ) 
synthesize F (L + M) with synthesize T L 
| no 7-4 = no (A{(_ ,H +: ) = 7A (_,F 
| yes ( N, HL) = no (A{ ( , FL’ + ) > Ne¥» (unig- 
| yes (A+B, +L) with inherit FMA 
| no -HM = no (-arg FL -+M) 
| yes EM = yes (B, tL: MM ) 
synthesize - (Ms A) with inherit MA 
| no -=-M = no (A{ (_, LEM) = -HM EM }) 
| yes EM = yes (A, FL IM ) 


There are three cases: 


* If the term is a variable ~ x, we use lookup as defined 
above: 


© If it fails, then -4 is evidence that there is no A 
such that Tr 3 x 8 A holds. Evidence that TF 
x t Aholds must have the form F* 3x, where 3x 
is evidence that Tr 3 x 8 A, which yields a contra- 
diction. 


© If it succeeds, then >x is evidence that Tr 3 x 8 A, 
and hence -* 3x isevidence that TF * xt A. 


* If the term is an application L - M, we recurse on the 
function L: 


© If it fails, then -3 is evidence that there is no type 
such that T - L + _ holds. Evidence that TF L 


M +t _ holds must have the form FL - _, where 
FL is evidence that T F L t _, which yields a 
contradiction. 


© If it succeeds, there are two possibilities: 


M@ One is that FL is evidence that Tr -F L 8 
~N. Evidence that T FF L - M +t _ holds 


must have the form FL’ - _ where FL’ is 
evidence that T - L t A = B for some 
types Aand B. Applying uniq-t to FL and 
FL’ yields a contradiction, since ~N cannot 
equal A => B. 


M@ The other is that FL is evidence that T -F L 
+ A => B, in which case we recurse on the ar- 
gument M: 


M@ If it fails, then wm is evidence that I 
F M 4 A does not hold. By ~arg ap- 
plied to FL and -#y, it follows that T 
F L + M t Bcannot hold. 


M@ If it succeeds, then -F™ is evidence that 
r-M J A,and FL - FM provides 
evidence that TF L- Mt B. 


* If the term is a switch M | A from synthesised to inher- 
ited, we recurse on the subterm M, supplying type A by in- 
heritance: 


© If it fails, then --™ is evidence that T -/& MtsA 
does not hold. Evidence that T F (M J A) t A 
holds must have the form 14 FM where FM is evi- 
dence that T F M 4 A holds, which yields a con- 
tradiction. 


© If it succeeds, then -M™ is evidence that T F M 4 
A, and Fs FM provides evidence that T F (M 4 
A) t A. 


inherit [ (X x = N) N = no (A()) 
inherit T (X x = N) (A = B) with inherit (F , x 8 A) NB 


... | no 7EN = no (A{ (KX EN) = -#EN EN }) 
| yes EN = yes (FX EN) 

inherit [ ‘zero ‘N = yes Fzero 

inherit [ “zero (A = B) = no (A()) 


inherit [T (‘suc M) “N with inherit [T M ‘“N 
... | no 7=KM no (A{ (Fsuc FM) = -+HM EM }) 
| yes EM yes (FSuc EM) 


inherit T (‘suc M) (A=>=B) = no (A()) 
inherit [ (‘case L [zero> M |suc x = N ]) A with synthesize F L 
... | no 74 = no (A{ (Fcase EL )3-73 (°N,F+ 
| yes ( = _,HL) = no (A{ (Fcase HL’ __) > N¥» (uniq-1 
| yes ( N, HL ) with inherit MA 
| no -KM = no (A{ (FKcase _-M_) = -M EM }) 
| yes FM with inherit (F , x 8 “N) NA 
| no -=EN = no (A{ (Fcase __ EN) > -+N EN }) 
fe | yes EN = yes (Fcase HL HM EN) 
inherit [ (ux = N) A with inherit (T , x 8A) NA 
... | no 7EN = no (A{ (Hu EN) > -HN EN }) 
... | yes EN = yes (Hy EN) 
inherit [ (Mt) B with synthesize [ M 
... | no 74 = no (A{ (Ht FM_) > 7-4 ( _ , FM ) }) 
| yes (A, EM ) with A 2Tp B 
| no A#B no (-switch FM AzB) 


| yes A=B = yes (Ft EM ASB) 


We consider only the cases for abstraction and and for switching 
from inherited to synthesized: 


¢ If the term is an abstraction A x = N and the inherited 
type is ~N, then itis trivialthat TF (A x > N) 4 °N 
cannot hold. 


* If the term is an abstraction A x => N and the inherited 
type is A > B, then we recurse with context T , x 8 A 
on subterm N inheriting type B: 


© If it fails, then -FN is evidence that Tr , x 8 AEF 
N | B does not hold. Evidence that TF (A x > 
N) 4! A = B holds must have the form FA EN 
where FN is evidence that Tr , x 8 AEF N J B, 
which yields a contradiction. 


© If it succeeds, then -N is evidence that Tr , x 8 A 
Ft N | Bholds, and FA EN provides evidence that 
rk (Ax >N) J} ADB. 


* If the term is a switch M +t from inherited to synthesised, 
we recurse on the subterm ™M: 


© If it fails, then -4 is evidence there is no A such 


that r / mM +t Aholds. Evidence that T - (M 1+) 
1 B holds must have the form Ft FM _ where FM 
is evidence that T - M 1+ _, which yields a contra- 
diction. 


© If it succeeds, then FMis evidence that TF MtA 
holds. We apply _2Tp_ do decide whether A and B 
are equal: 


M@ if it fails, then A#B is evidence that A # B. 
By “switch applied to -M and A#B it fol- 
low that Tr F (M t+) J Bcannot hold. 


M@ If it succeeds, then A=B is evidence that A 
B, and Ft FM A=B provides evidence that 
F (Mt) 4 B. 


ill 


The remaining cases are similar, and their code can pretty much 
be read directly from the corresponding typing rules. 


Testing the example terms 


S’ :V {fF x y A B} 
> {x#y : False (x = 


I~ 
< 
— 
we 


S’ {x#y = x#y} x = S (toWitnessFalse x#y) x 


#242 : @F 242 + N 
F2+2 = 
(Fu 
(Hu 
(KX 
(EX 
(kcase (K (S’ Z)) (Ht (F° Z) refl) 
(FSUC 
(Ht 


“Fr (F Z) refl 
> Et (F (S’ Z)) refl) 
refl)))))) 
* FSuc (FSuC Fzero) 
* -Ssuc (Suc zero) ) 


_ : synthesize @ 2+2 = yes ( ‘N , F2+2 ) 
_=refl 


Indeed, the above derivation was computed by evaluating the 
term on the left, with minor editing of the result. The only edit- 
ing required was to use the smart constructor Ss’ to obtain the 
evidence that two variable names (as strings) are unequal (which 
it cannot print nor read). 


H24+2° : @ bk 242° t+ “N 


#2+2¢ = 
FL 
(KX 
(KX 
(KX 
(KX 
(Ht 
(F° 
(S* 
(S’ 
(S’ Z))) 
Ht (F (S’ Z)) refl 
Ft 
(F° 
(S’ 
(S* -Z)) 
- Et (F (S’ Z)) refl 
- Et (F Z) refl) 
refl) 
refl))))) 
LA 
(KX 
(Ht 
(HK. (S’ Z) : 
Ht (KF (S’ Z) + Et (F° Z) refl) 
refl) 


refl)) 


(Ht 
(K* (S’ Z) : 
Ht (FK (S’ Z) + Et (F Z) refl) 
refl) 
refl)) 
- EX (FSuc (Ht (F° Z) refl)) 
- zero 


: synthesize @ 2+2° = yes ( ‘N , F2+2°¢ ) 
= refl 


Again, the above derivation was computed by evaluating the 
term on the left and editing. 


Testing the error cases 
It is important not just to check that code works as intended, but 
also that it fails as intended. Here are checks for several possible 


errors: 


_ : synthesize @ ((X "x" = * "y" t) 4 (N= °N)) = no | 
= refl 


: synthesize @ (plus « suc‘) = no _ 
= refl 


: synthesize @ (plus « sucs + two) =no | 
= refl 


: synthesize @ ((two s “N) : two) = no _ 
= refl 


: synthesize @ (twoc t “N) = no _ 
= refl 


: synthesize @ (‘zero 1 “N= ‘N) = no _ 
= refl 


: synthesize @ (two 1 “N= ‘N) = no | 
= refl 


: synthesize @ (‘suc twoc 1s “N) = no _ 
= refl 


: synthesize 2 


((*case (twos 4 Ch) [zeros ‘zero |suc "x" = * "x" t Ju - 


= refl 


: synthesize 2 


((*case (twot 4 ‘N) [zeros ‘zero |suc "x" =~ "x" t Ju * 


= refl 


= refl 


Erasure 


From the evidence that a decorated term has the correct type it is 
easy to extract the corresponding intrinsically-typed term. We 
use the name DB to refer to the code in Chapter DeBruijn. It is 
easy to define an erasure function that takes an extrinsic type 
judgment into the corresponding intrinsically-typed term. 


ll lITp : Type > DB.Type 
Il “N IITp = DB. ’N 
ll A = B IITp = || A IlTp DB.= || B IITp 


It simply renames to the corresponding constructors in module 
DB. 


IL lICx : Context - DB.Context 
Il @ |ICx DB.@ 
Ir , xX 8 A WX Il WCx DB., Il A IITp 


It simply drops the variable names. 


id: V {Fx A} oP 3x8 AIF ICx DB.3 II A IITp 


: synthesize @ (((X "x" = * "x" +t) & “N= (‘N= ‘N))) = no | 


il Z iS 
| S x# 3x [IB 


DB.Z 
DB.S Il 3x IIB 


It simply drops the evidence that variable names are distinct. 


Iie : V {MA} 30T EM? A= IIT IICx DB.F Il A IITp 
ily : VIF MA} 3T EMs Aa IIT IICx DB.F Il A IITp 
Il} RH EX IF = DB. || Fx II3 

I} HL» EM |I* = || EL Il* DB.: || EM II- 

I] He EM [I+ = || MM Ilr 

I] EX EN [I> = DB.X Il EN Il- 

Il Hzero [I> = DB. zero 

|| HSuc EM [I> = DB. suc || HM II- 

|| Ecase EL EM EN |I|- = DB.case || EL II* Il EM II- Il EN II- 
Il Hu EM [I> = DB.u Il FM Il- 

I] Ht EM refl Il- = || eM Il* 


Erasure replaces constructors for each typing judgment by the 
corresponding term constructor from DB. The constructors that 
correspond to switching from synthesized to inherited or vice 
versa are dropped. 


— ot |p F242 |I* = DB.2+2 
= refl 


= [| F2e2° il? = DB. 2+2* 
= refl 


Thus, we have confirmed that bidirectional type inference con- 
verts decorated versions of the lambda terms from Chapter 
Lambda to the intrinsically-typed terms of Chapter DeBruijn. 


Exercise inference-multiplication (recommended) 

Apply inference to your decorated definition of multiplication 
from exercise bidirectional-mul, and show that erasure of 
the inferred typing yields your definition of multiplication from 


Chapter DeBruijn. 


-- Your code goes here 


Exercise inference-products (recommended) 


Using your rules from exercise bidirectional-products, 
extend bidirectional inference to include products. Also extend 
erasure. 


-- Your code goes here 


Exercise inference-rest (stretch) 


Using your rules from exercise bidirectional-rest, extend 
bidirectional inference to include the rest of the constructs from 
Chapter More. Also extend erasure. 


-- Your code goes here 


Bidirectional inference in Agda 


Agda itself uses bidirectional inference. This explains why con- 
structors can be overloaded while other defined names cannot — 
here by overloaded we mean that the same name can be used for 
constructors of different types. Constructors are typed by inheri- 
tance, and so the type is available when resolving the construc- 
tor, whereas variables are typed by synthesis, and so each vari- 
able must have a unique type. 


answer = 6 * 7 


Unicode 


This chapter uses the following unicode: 


{| U+2193: DOWNWARDS ARROW (\d) 
+ U+2191: UPWARDS ARROW (\u) 
| U+2225: PARALLEL TO (\| |) 


We have just one type: As before, a context is a list of types, 
with the type of the most recently bound variable on the right: 
Intrinsically-scoped variables correspond to the lookup judgment. 
The rules are as before: Intrinsically-scoped terms correspond to 
the typing judgment, but with * as the only type. The result is 
that we check that terms are well scoped — that is, that all vari- 
ables they mention are in scope — but not that they are well 
typed: As before, we can convert a natural to the corresponding 
de Bruijn index. We no longer need to lookup the type in the 
context, since every variable has the same type:We can then in- 
troduce a convenient abbreviation for variables: Our only exam- 
ple is computing two plus two on Church numerals: Our defini- 
tion of renaming is as before. First, we need an extension lemma: 
Now it is straightforward to define renaming: Our definition of 
substitution is also exactly as before. First we need an extension 
lemma: Now it is straightforward to define substitution: It is easy 
to define the special case of substitution for one free variable: Re- 
duction continues until a term is fully normalised. Hence, instead 
of values, we are now interested in normal forms. Terms in nor- 
mal form are defined by mutual recursion with neutral 
terms:Neutral terms arise because we now consider reduction of 
open terms, which may contain free variables. A term is neutral 
if it is a variable or a neutral term applied to a normal term:A 
term is a normal form if it is neutral or an abstraction where the 
body is a normal form. We use '_ to label neutral terms. Like 
~_, it is unobtrusive:We introduce a convenient abbreviation for 
evidence that a variable is neutral:For example, here is the evi- 
dence that the Church numeral two is in normal form: Here are 
the formalised rules: We cut-and-paste the previous definition: 
Here is the demonstration that two plus two is four: A term 
makes progress if it can take a step or is in normal form:If a term 
is well scoped then it satisfies progress: Gas is specified by a nat- 
ural number:When our evaluator returns a term N, it will either 
give evidence that N is normal or indicate that it ran out of 
gas:Given a term L of type A, the evaluator will, for some N, re- 
turn a reduction sequence from L to N and an indication of 
whether reduction finished:The evaluator takes gas and a term 
and returns the corresponding steps: We reiterate our previous 
example. Two plus two is four, with Church numerals: Here is 


the Scott representation of naturals encoded with de Bruijn in- 
dexes: With de Bruijn indices, we have the following: We can 
now define two plus two exactly as before: 


Untyped: Untyped lambda calculus with 
full normalisation 


module plfa.part2.Untyped where 


In this chapter we play with variations on a theme: 


Previous chapters consider intrinsically-typed calculi; here 
we consider one that is untyped but intrinsically scoped. 


Previous chapters consider call-by-value calculi; here we 
consider call-by-name. 


Previous chapters consider weak head normal form, where 
reduction stops at a lambda abstraction; here we consider 
full normalisation, where reduction continues underneath a 
lambda. 


Previous chapters consider deterministic reduction, where 
there is at most one redex in a given term; here we con- 
sider non-deterministic reduction where a term may contain 
many redexes and any one of them may reduce. 


Previous chapters consider reduction of closed terms, those 
with no free variables; here we consider open terms, those 
which may have free variables. 


Previous chapters consider lambda calculus extended with 
natural numbers and fixpoints; here we consider a tiny cal- 
culus with just variables, abstraction, and application, in 
which the other constructs may be encoded. 


In general, one may mix and match these features, save that full 
normalisation requires open terms and encoding naturals and fix- 
points requires being untyped. The aim of this chapter is to give 
some appreciation for the range of different lambda calculi one 


may encounter. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 

open Eq using ( = ; refl) 

open import Data.Empty using (1; L-elim) 

open import Data.Nat using (N; zero; suc; < ; s? ; zsn; sss) 
open import Relation.Nullary using (-_) 


open import Relation.Nullary.Decidable using (True; toWitness) 


Untyped is Uni-typed 


Our development will be close to that in Chapter DeBruijn, save 
that every term will have exactly the same type, written * and 
pronounced “any”. This matches a slogan introduced by Dana 
Scott and echoed by Robert Harper: “Untyped is Uni-typed”. One 
consequence of this approach is that constructs which previously 
had to be given separately (such as natural numbers and fix- 
points) can now be defined in the language itself. 


Syntax 
First, we get all our infix declarations out of the way: 


infix 4 + 
infix 4 9. 


INTLXt Be 4, 
infix 6 X_ 
Intix 6 
infixl 7 


Types 


data Type : Set where 
x : Type 


Exercise (Type=T ) (practice) 


Show that Type is isomorphic to T, the unit type. 


-- Your code goes here 


Contexts 


data Context : Set where 
@ : Context 
_,_ : Context > Type > Context 


We let T'and A range over contexts. 
Exercise (Context=N) (practice) 
Show that Context is isomorphic to N. 


-- Your code goes here 


Variables and the lookup judgment 


data 3: Context - Type - Set where 


Z:V {0 A} 


“oT3A 


We could write the rules with all instances of A and B replaced 


by *, but arguably it is clearer not to do so. 


Because * is the only type, the judgment doesn’t guarantee any- 
thing useful about types. But it does ensure that all variables are 
in scope. For instance, we cannot use S S Z in a context that 


only binds two variables. 


Terms and the scoping judgment 


data + _: Context - Type - Set where 


Now we have a tiny calculus, with only variables, abstraction, 
and application. Below we will see how to encode naturals and 
fixpoints into this calculus. 


Writing variables as numerals 


length : Context +N 
length 2 zero 
length (FT , _) suc (length T) 


count : V {f} - {n : N} = 
count {f , «} {zero} ( 
count {fF , x} {(suc n)} ( 


p:n< length’) -f 3x 
Ss Z 
S (count p) 


wn 
ToT 
S 
ol 


# =: V {IT} 
- (n: N) 
> {ne : True (suc n s? length [)} 


-PRe* 
# =n {n&} = ~*~ count (toWitness n€&) 


Test examples 


twoc : V {fT} ->F kx 


twoc = XK (#1: (#1: #0)) 


fours : V {7} -T re 
four° =X X (#1: (#1 (#1 (#1 # 0)))) 
plus¢ : V {ff} >-P Fx 
plusSs =KX XX (# 3 #1 (#2:#1 # 0)) 


242°: Ge 
2+2° = plus* - twos - twos 


Before, reduction stopped when we reached a lambda term, so 
we had to compute plus® - twoS - two® + suc® + ~zero 
to ensure we reduced to a representation of the natural four. 
Now, reduction continues under lambda, so we don’t need the 
extra arguments. It is convenient to define a term to represent 
four as a Church numeral, as well as two. 


Renaming 


ext : V {f A} > (V {A} -F 3A>A3 A) 


We could replace all instances of A and B by *, but arguably it 
is clearer not to do so. 


rename : V {f A} 
> (V {A} -F 3A3A3 A) 


> (V {A} -T FASAFA) 


rename p (* x) = * (p x) 
rename p (4 N) = X (rename (ext p) N) 
rename p (L : M) = (rename p L) - (rename p M) 


This is exactly as before, save that there are fewer term forms. 


Simultaneous substitution 


exts : V {Tf A} - (V {A} -F 3 A>AFA) 


> (V {AB} >T ,B3A2A,BEHA) 
~Z 
rename S_ (6 x) 


Again, we could replace all instances of A and B by *. 


subst : V {f A} 
~ (V {A} =F 3A3AFA) 
~ (V {A} -F FASAEA 

subst o (° k) = 

subst o (X N) = 


) 

ok 

K (subst (exts o) N) 
subst o (L : M) (su 


subst o L) : (subst o M) 


Again, this is exactly as before, save that there are fewer term 
forms. 


Single substitution 


subst-zero : V {fF B} - 
subst-zero M Z 
subst-zero M (S x) 


[+ B) = V {A} = (F , B35 A) > (TFA) 


[.]: V {F A B} 
, BEA 


_[_] {1} {A} {B} NM = subst {f , B} {f} (subst-zero M) {A} N 
Neutral and normal terms 


data Neutral: V {fT A 
data Normal :V({lA 


data Neutral where 
: V {PF A} (x : F 3A) 


~ Neutral (* x) 


:V {FF} {LM: Pr x} 
Neutral L 
Normal M 


Neutral (L : M) 


4 


L 


4 


data Normal where 


_: V {PF A} {M : PT + A} 
~ Neutral M 


~ Normal M 


KR :V {I} {N:T , x F x} 
~ Normal N 


~ Normal (X N) 


#  : V {7} (n : N) {n€& : True (suc n s? length T)} > Neutral {fF} ( 


#’ n{n&} = ~*~ count (toWitness nef ) 


_ : Normal (twoc {2}) 
 =KK(' # 1: (' #1: (' # @))) 


The evidence that a term is in normal form is almost identical to 
the term itself, decorated with some additional primes to indicate 
neutral terms, and using #' in place of # 


Reduction step 


The reduction rules are altered to switch from call-by-value to 
call-by-name and to enable full normalisation: 


* The rule €1 remains the same as it was for the simply- 
typed lambda calculus. 


* In rule &2, the requirement that the term L is a value is 
dropped. So this rule can overlap with £1 and reduction is 
non-deterministic. One can choose to reduce a term inside 
either Lor M. 


* In rule B, the requirement that the argument is a value is 


dropped, corresponding to call-by-name evaluation. This 
introduces further non-determinism, as § overlaps with 
&2 when there are redexes in the argument. 


* Anew rule Z is added, to enable reduction underneath a 
lambda. 


infix 2 —_ 
data — : V {f A} = (TF A) = (F F A) = Set where 


i : VT} {LL’ M: Te x} 
-L-L 


2: V(r} {LMM : Te x} 
-M—M 


B:V {}{N:T ,*F x} {(M: TF x} 


+(KN)>M—oON[M] 
7: V {7} {NN ST, wb x} 
+N N’ 


Exercise (variant-1) (practice) 
How would the rules change if we want call-by-value where 
terms normalise completely? Assume that pg should not permit 


reduction unless both terms are in normal form. 


-- Your code goes here 


Exercise (variant—2) (practice) 


How would the rules change if we want call-by-value where 
terms do not reduce underneath lambda? Assume that 8 permits 


reduction when both terms are values (that is, lambda abstrac- 
tions). What would 2+2¢ reduce to in this case? 


-- Your code goes here 


Reflexive and transitive closure 


infix 2 -—»_ 
infix 1 begin_ 
infixr 2 —( ) 
infix 3 I 


data —» : V {f A} - (TF A) = (F F A) = Set where 


np: V {0 A} (Mi: PRA) 


—() : VF A} (Li: TFA) {MN : T FA} 


|! 


begin : V {Tf} {A} {MN : TF A} 


begin M—-N = M—N 
Example reduction sequence 


_ 1 242° —» four 


begin 
pluss + twos - twos 
=—s{ Ex 6} 
KX XK twoc: #1: (#2 :#1:#0)) + twos 


( 
—( 8B ) 

KK twoc : #1. (twoc: #1: # 0) 
—( ¢ (f (1 B)) ) 

KK ((K#2: (#2: #0)) + (twoc: #1: #0)) 
—( ¢ (CB) ) 


KX#1-+ (#1. (twoc - #1. #0)) 

= © (CG (Ex (Ee (8a B)))) 9 

KK#1+ (# 1+ ((K#2+ (#2 + #0)) + #0)) 
—{ ¢ (G (§2 (&2 B))) ) 
K(K#1+ (#1 (#1 (#1 #0)))) 

| 


After just two steps the top-level term is an abstraction, and Z 
rules drive the rest of the normalisation. 


Progress 


Progress adapts. Instead of claiming that every term either is a 
value or takes a reduction step, we claim that every term is ei- 
ther in normal form or takes a reduction step. 


Previously, progress only applied to closed, well-typed terms. We 
had to rule out terms where we apply something other than a 
function (such as ~ zero) or terms with a free variable. Now we 
can demonstrate it for open, well-scoped terms. The definition of 
normal form permits free variables, and we have no terms that 
are not functions. 


data Progress {f A} (M: T+ A) : Set where 


step : V {N: TF A} 
~M—N 


- Progress M 


done : 
Normal M 


- Progress M 


progress : V {f A} > (M: [+ A) = Progress M 


progress (° x) = done (’ ~ x) 
progress (X N) with progress N 
... | step NN’ = step (C NN’) 
... | done NrmN = done (X NrmN) 
progress (~ x : M) with progress M 
... | step M—M’ = step (E2 M—M’) 

| done NrmM = done (’ (* x): Nr 


progress ((X N) : M) = step B 


progress (L@(_-« _) : M) with progress L 
... | step L—-L’ = step (E1 L—-L’) 
| done (’ NeuL) with progress M 
| step M—M’ = step (E2 M—M’) 
| done NrmM = done (’ NeuL - Nrn 


We induct on the evidence that the term is well scoped: 


¢ If the term is a variable, then it is in normal form. (This 
contrasts with previous proofs, where the variable case was 
ruled out by the restriction to closed terms.) 

If the term is an abstraction, recursively invoke progress on 
the body. (This contrast with previous proofs, where an ab- 
straction is immediately a value.): 


© If it steps, then the whole term steps via Z. 
© If it is in normal form, then so is the whole term. 


If the term is an application, consider the function sub- 
term: 


© If it is a variable, recursively invoke progress on the 
argument: 


M@ If it steps, then the whole term steps via £2; 
M@ If it is normal, then so is the whole term. 


© If it is an abstraction, then the whole term steps via 
B. 

© If it is an application, recursively apply progress to 
the function subterm: 


M@ If it steps, then the whole term steps via £1. 
M@ If it is normal, recursively apply progress to 
the argument subterm: 


M@ If it steps, then the whole term steps via 
E2. 
M@ If it is normal, then so is the whole term. 


The final equation for progress uses an at pattern of the form 


P@Q, which matches only if both pattern P and pattern Q match. 
Character @ is one of the few that Agda doesn’t allow in names, 
so spaces are not required around it. In this case, the pattern en- 
sures that L is an application. 


Evaluation 
As previously, progress immediately yields an evaluator. 


record Gas : Set where 
constructor gas 
field 
amount : N 


data Finished {f A} (N : FFA) : Set where 


done : 
Normal N 


~ Finished N 


out-of-gas : 


Finished N 


data Steps : V {f A} >[ F A = Set where 


steps : V {f A} {L N: FT + A} 
>L—N 
~ Finished N 


> Steps L 
eval (gas zero) L 
eval (gas (suc m)) L with progress L 
| done NrmL 
| step {M} L—M with eval (gas m) M 
| steps MN fin = steps (L —( L—M ) M-l 


steps (L #) out-of-gas 


steps (L #) (done NrmL) 


The definition is as before, save that the empty context © gener- 


alises to an arbitrary context TI. 
Example 


_ 1 eval (gas 100) 2+2° = 


steps 
((x 
(KX 
(X 
(X 
((3 45 (5 Z)))) = 4 (Se 2)) = 
CGS Se ZY Uo Se 2) 
AU G2))-* (CG 2Z)) = 
(a GA” (Ss 2)) 2 10 GS 2)) = 
=o ta Bo) 
(X 
(X 
(X 


CC 1S Zy) * (CAS 2)) 


CC" (Ss (Zy)k eC G2)) * C 


(ATA GZ) * ( G2)) 
=—( B) 
K 


(xX 


(aa CAS 2) 10" 4S 2p) oe 


(ACK SZ) © 1" G2)) 
=e (¢ (62 B)) 2 


K 
(xX 
(AS © Z)))* (C SS 2))) 
(ACA C UG 2)) © (CG 2)) « 
=—( ¢ (¢ B) ) 
K 
(xX 
(~ (S Z)) 
CC" (3-2)) 


( . 
(A AC (5 Z)) * (CC  2)) 


K 
(xX 
(" (S-2)) 
((" (2Z)) @ 
OT” (SS Zh) oe SS Z))). * 
=i © AG (ee ee BI): 
RAK (5 Z)) = UC (8 2)) © (CS 2) 


CC 


C 


Z)))))) 
Z)))) 
Z)))) 
Z))) (5 Z)) 
yy) 
)))) 
Vy). eo heey) 
Z)})I¢ ( (1S Z)) 
(~ Z))). * 
Z)))) « ( (8S 2Z)) + 
“2)))) * (45 2)) 


C 


CC 


Aye CZ) 
CC 


CC" S2)) ¢ 


CC 


Z))) 


Z))) 


Z))) 


Z)))) 


Naturals and fixpoint 


We could simulate naturals using Church numerals, but comput- 
ing predecessor is tricky and expensive. Instead, we use a differ- 
ent representation, called Scott numerals, where a number is es- 
sentially defined by the expression that corresponds to its own 
case statement. 


Recall that Church numerals apply a given function for the corre- 
sponding number of times. Using named terms, we represent the 
first three Church numerals as follows: 


zero = AsPAZRzZ 
one = AsPAZAR SS: Zz 
two = AsrPAzRS+: (8S = Z) 


In contrast, for Scott numerals, we represent the first three natu- 
rals as follows: 


As x®>Aizrz 


zero = 
one =As PAzZ>S- zero 
two =As >Az>sS- one 


Each representation expects two arguments, one corresponding 
to the successor branch of the case (it expects an additional argu- 
ment, the predecessor of the current argument) and one corre- 
sponding to the zero branch of the case. (The cases could be in 
either order. We put the successor case first to ease comparison 
with Church numerals.) 


“zero : V {fF} - (FF x) 
“zero = X XK (# . 


“suc: VW {P} 


= (PF 
“suc M = (KK X 


kx) > (FF x) 
(#1:#2))°*M 


(Fk *x) 2 (PF kx) > (F , x Ee) 3» (FF x) 
. N) « 


Here we have been careful to retain the exact form of our previ- 
ous definitions. The successor branch expects an additional vari- 
able to be in scope (as indicated by its type), so it is converted to 
an ordinary term using lambda abstraction. 


Applying successor to the zero indeed reduces to the Scott nu- 
meral for one. 


_ 1 eval (gas 100) (*suc_ {2} “zero) = 


steps 
((X (X (K #1 + #2))) + (XK (K # 0)) 
= — ) 
K (K#1 + (K (KX #0))) 
LD) 
(done (K (X (° (~ (S Z)) + (K (KA ( (© Z)))))))) 
_=refl 


We can also define fixpoint. Using named terms, we define: 
pf=(Ax>eE- (x - x)) - (Ax > £ + (x += x)) 


This works because: 


£ (A x > £ (x x)) (A x > £ (x 
x))) 
£ - (yp £) 
uo: Vf}o( , xe exe) > (FF x) 
UN = (XK ((KX (#1 + (#0 + #0))) + (K (# 1+ (#0 + #0))))) - 


The argument to fixpoint is treated similarly to the successor 


(% 


branch of case. 


infix 5 w_ 


two: V{} oP ex 
two = “suc ‘suc “zero 


four: V {Tf} -[T + x 
four = “suc ‘suc “suc ‘suc “zero 


plus : V {Tf} -TrEex 
plus = uw X X (case (#1) (# 0) (‘suc (#3: #0: #1))) 


Because ~suc is now a defined term rather than primitive, it is 
no longer the case that plus - two - two reduces to four, 


but they do both reduce to the same normal term. 


Exercise plus-—eval (practice) 


Use the evaluator to confirm that plus - two - two and 
four normalise to the same term. 


-- Your code goes here 


Exercise multiplication-—untyped (recommended) 

Use the encodings above to translate your definition of multipli- 
cation from previous chapters with the Scott representation and 
the encoding of the fixpoint operator. Confirm that two times 
two is four. 


-- Your code goes here 


Exercise encode-more (stretch) 
Along the lines above, encode all of the constructs of Chapter 
More, save for primitive numbers, in the untyped lambda calcu- 


lus. 


-- Your code goes here 


Multi-step reduction is transitive 


In our formulation of the reflexive transitive closure of reduction, 
i.e., the ——> relation, there is not an explicit rule for transitivity. 
Instead the relation mimics the structure of lists by providing a 
case for an empty reduction sequence and a case for adding one 
reduction to the front of a reduction sequence. The following is 
the proof of transitivity, which has the same structure as the ap- 
pend function _++_ on lists. 


—-trans : V{T}{A}{L MN : TF A} 
~L—M 
~M—>N 
>~L—=N 
—-trans (M #) mn = mn 
—-trans (L —( r ) lm) mn =L —( rr ) (-—-trans Im mn) 


The following notation makes it convenient to employ transitiv- 
ity of —>. 


infixr 2 -—»(_)_ 


—({_) : Vf A} (L: T&A) {MN : PF FA} 


2s 


L —»( LM ) MeN = —-trans L—M MN 


Multi-step reduction is a congruence 


Recall from Chapter Induction that a relation R is a congruence 
for a given function f if it is preserved by that function, i.e., if 
R x y then R (f x) (f y). The term constructors A_ and 
_-_ are functions, and so the notion of congruence applies to 
them as well. Furthermore, when a relation is a congruence for 
all of the term constructors, we say that the relation is a congru- 
ence for the language in question, in this case the untyped 
lambda calculus. 


The rules &1, &2, and Z ensure that the reduction relation is a 


congruence for the untyped lambda calculus. The multi-step re- 
duction relation —— is also a congruence, which we prove in the 
following three lemmas. 


appL-cong : V {f} {L L'M: FT + x} 
>L—L' 


+L+M—wL' eM 
appL-cong {F}{L}{L'}{M} (L#)=L:Muo 
appL-cong {T}{L}{L'}{M} (L —( r ) rs) =L + M—( &1 r ) appL-cong 


The proof of appL-cong is by induction on the reduction se- 
quence L —~» L'. * Suppose L —~» L by L HE. Then we have 
L:-M-*» L-: Mby L -: M E.* Suppose L — L"'' by L 
—-( r ) rs,so L —+ L' by rand L' —> L'' by rs. We 


have L - M—> L' - Mby &; rand L' -M-*> L'' -M 
by the induction hypothesis applied to rs. We conclude that L 
- M-» L'' - Mby putting these two facts together using _— 
wD 4 


The proofs of appR-cong and abs-cong follow the same pat- 
tern as the proof for appL-cong. 


appR-cong : V {f} {L MM' : T + x} 
>M— M' 


>L:+M—~tL: M' 
appR-cong {Tf }{L}{M}{M'} (Ma) =L:+ MU 
appR-cong {fF }{L}{M}{M'} (M —( r ) rs) =L :- M—( &2 r ) appR-cong 
abs-cong : V {fF} {NN' :T , * F x} 


abs-cong (M &) 
(L — 


abs -cong (rr) rs) =X L—( Gr ) abs-cong rs 


Unicode 


This chapter uses the following unicode: 


*& U+2605 BLACK STAR (\st) 


The \st command permits navigation among many different 
stars; the one we use is number 7. 


Confluence: Confluence of untyped 
lambda calculus 


module plfa.part2.Confluence where 


Introduction 


In this chapter we prove that beta reduction is confluent, a prop- 
erty also known as Church-Rosser. That is, if there are reduction 
sequences from any term L to two different terms M; and Mp, 
then there exist reduction sequences from those two terms to 
some common term N. In pictures: 


where downward lines are instances of ——. 


Confluence is studied in many other kinds of rewrite systems be- 
sides the lambda calculus, and it is well known how to prove 
confluence in rewrite systems that enjoy the diamond property, a 
single-step version of confluence. Let > be a relation. Then > 
has the diamond property if whenever L > M and L ® MM, 
then there exists an N such that M1 > Nand M2 & N. This is 
just an instance of the same picture above, where downward 
lines are now instance of >. If we write >* for the reflexive 
and transitive closure of >, then confluence of >* follows im- 
mediately from the diamond property. 


Unfortunately, reduction in the lambda calculus does not satisfy 
the diamond property. Here is a counter example. 


(A X. xX KX) ((A x. xX) a) — (A x. x x) a 
(A x. KX X)((A x. x) a) — ((A xX. x) a) ((A x. X) 
a) 


Both terms can reduce to a a, but the second term requires two 
steps to get there, not one. 


To side-step this problem, we’ll define an auxiliary reduction re- 
lation, called parallel reduction, that can perform many reductions 
simultaneously and thereby satisfy the diamond property. Fur- 
thermore, we show that a parallel reduction sequence exists be- 
tween any two terms if and only if a beta reduction sequence ex- 
ists between them. Thus, we can reduce the proof of confluence 
for beta reduction to confluence for parallel reduction. 


Imports 


open import Relation.Binary.PropositionalEquality using ( = ; refl) 

open import Function using ( ° ) 

open import Data.Product using (_x ; 2; -syntax; 4; d-syntax; proji 
renaming (_,_ to (_,_)) 

open import plfa.part2.Substitution using (Rename; Subst) 


open es pifa. part2.Untyped 


using ( ; B; a; &2; C; _—»_; begin_; —(_) ; —»(_)_j]_8; 
abs-cong; 3 appl cong; appR-cong; —»-trans; 
Fj 2 PF Get OP Aes IP ds 


rename; ext; exts; Z; S_; subst; subst-zero) 


Parallel Reduction 

The parallel reduction relation is defined as follows. 
infix 3 = 
data _ = : WV {f A} > (FT F A) > ([ F A) = Set where 


pvar : V{T A}{x : T 3 A} 


pabs : V{T}{NN’ : PF , x F x} 
o>NoN 


papp : V{T}{L L’ MM’ : TF x} 
> LeL’ 


pbeta : V{F}{NN’ : 7 , * FE e}{M M’ : Fb x} 
-~Ne2aN 


The first three rules are congruences that reduce each of their 
parts simultaneously. The last rule reduces a lambda term and 
term in parallel followed by a beta step. 


We remark that the pabs, papp, and pbeta rules perform re- 
duction on all their subexpressions simultaneously. Also, the 
pabs rule is akin tothe Z rule and pbeta is akin to B. 


Parallel reduction is reflexive. 


par-refl : V{F A}{M:T FA} +>M-aM 

par-refl {[} {A} {* x} = pvar 

par-refl {[} {«} {X N} = pabs par-refl 

par-refl {[} {«} {L + M} = papp par-refl par-refl 


We define the sequences of parallel reduction as follows. 


infix 2 »=* 


infixr 2 -=( } 


infix 3 5 


data _=* : V {f A} > (TF A) = (fF F A) = Set where 


pi: V {0 A} (Mi: FRA) 


—: V {PF A} (L: T FA) {MN : PF FA} 


Exercise par-—diamond-eg (practice) 


Revisit the counter example to the diamond property for reduc- 
tion by showing that the diamond property holds for parallel re- 
duction in that case. 


-- Your code goes here 


Equivalence between parallel reduction and reduc- 
tion 


Here we prove that for any Mand N, M S* Nif and only if M 
—>» N. The only-if direction is particularly easy. We start by 
showing that if M —> N, then M > N. The proof is by induction 
on the reduction M —> N. 


beta-par : V{f A}{MN: fT + A} 

-~M—N 

-~Me=N 
beta-par {[} {x} {L - M} (&: r) = papp (beta-par {M = L} r) par-refl 
beta-par {[} {x} {L - M} (&2 r) = papp par-refl (beta-par {M = M} r) 
beta-par {[} {*«} {(X N) + M} B = pbeta par-refl par-refl 
beta-par {[} {x} {X N} (€ r) = pabs (beta-par r) 


With this lemma in hand we complete the only-if direction, that 
M —» Nimplies M >* N. The proof is a straightforward induc- 
tion on the reduction sequence M —> N. 


betas-pars : V{T A} {MN : FF A} 
>M—N 
> M =* N 
betas-pars {[} {A} {Mi} {.Mi} (Mi 8) =™Mi 8 


betas-pars {[} {A} {.L} {N} (L —( b ) bs) = 
L =( beta-par b ) betas-pars bs 


Now for the other direction, that M >* N implies M — N. 
The proof of this direction is a bit different because it’s not the 
case that M S Nimplies M — N. After all, M > N performs 
many reductions. So instead we shall prove that M > N implies 
M—> N. 


par-betas : V{T A}{MN:T + A} 
-Me=N 
>M—N 
par-betas {[} {A} {.(° _)} (pvar{x = x}) = (~ x) I 
par-betas {[} {x} {X N} (pabs p) = abs-cong (par-betas p) 
par-betas {Tf} {x} {L + M} (papp {L = L}{L°}{M}{M’} pi pz) = 
begin 
L + M —»( appL-cong{M = M} (par-betas pi) ) 


L’ - M -—»( appR-cong (par-betas pz) ) 
L’ : M’ 
| 

par-betas {[} {x} {(X N) - M} (pbeta{N’ = N’}{M’ = M’} pi p2) = 
begin 
(XN) «= M —»( appL-cong{M = M} (abs-cong (par 
(X N’) + M — »( appR-cong{L = X N’} (par-betas 
(A N’) + M’ —( 8 ) 
N’ [ M J 


The proof is by induction on M > N. 
* Suppose x > x. We immediately have x —> x. 


* Suppose A N > A N’ because N % N’. By the induc- 
tion hypothesis we have N —~» N’. We conclude that A 
N —~ A N’ because —~ is a congruence. 


* Suppose L - M > L’ - M’ because L > L’ and M & 
M’. By the induction hypothesis, we have L —» L’ and 
M-—» M’.So L - M-—~ L’ + Mandthen L’ -M — 
> L' + M’ because —— is a congruence. 


* Suppose (AN) - M ® N’ [ M’ ] because N 3 N’ 


and M => M’. By similar reasoning, we have (A N) - M 
—~» (A N’') + M’ which we can following with the £ re- 
duction (A N’) - M’ — N’ [M’ ]. 


With this lemma in hand, we complete the proof that M >* N 
implies M —>» N witha simple induction on M >* N. 


pars-betas : V{T A} {MN : FF A} 
+ M =* N 


>M—N 
pars-betas (Mi #) = Mi # 
pars-betas (L =( p ) ps) = —»-trans (par-betas p) (pars-betas ps) 


Substitution lemma for parallel reduction 


Our next goal is to prove the diamond property for parallel re- 
duction. But to do that, we need to prove that substitution re- 
spects parallel reduction. That is, if N > N’ and M > M’, then 
N [M ]2N’ [ M’ ]. We cannot prove this directly by in- 
duction, so we generalize it to: if N > N’ and the substitution 
o pointwise parallel reduces to t, then subst o N » subst 
t N’. We define the notion of pointwise parallel reduction as 
follows. 


par-subst : V{T A} > Subst TF A > Subst T A = Set 
par-subst {[}{A} o o’ = V{A}{x : TF 3 A} 70 x30" x 


Because substitution depends on the extension function exts, 
which in turn relies on rename, we start with a version of the 
substitution lemma, called par-rename, that is specialized to 
renamings. The proof of par-rename relies on the fact that re- 
naming and substitution commute with one another, which is a 
lemma that we import from Chapter Substitution and restate 
here. 


rename-subst-commute : V{T A}{N:T , *« FE x¥}{M : TF + x}{p : Rename [ 
> (rename (ext p) N) [ rename p M ] = rename p (N [ M ]) 
rename-subst-commute {N = N} = plfa.part2.Substitution.rename-subst- 


Now for the par-rename lemma. 


par-rename : V{l A A} {p : Rename TF A} {MM’ : T + A} 
>o>M=aM’ 


- rename p M = rename p M’ 
par-rename pvar = pvar 
par-rename (pabs p) = pabs (par-rename p) 
par-rename (papp pi pz) = papp (par-rename pi) (par-rename pz) 
par-rename {F}{A}{A}{p} (pbeta{l }{N}{N’}{M}{M’} p12 pz) 
with pbeta (par-rename{p = ext p} pi) (par-rename{p 


= Pp} pz) 
| G rewrite rename-subst-commute{l }{A}{N’}{M’ }{p} = G 


The proof is by induction on M > M’. The first three cases are 
straightforward so we just consider the last one for pbeta. 


* Suppose (AN) -M ® N’ [ M’ ] because N 3 N’ 
and M & M’. By the induction hypothesis, we have 
rename (ext op) N ® rename (ext op) N’ and 
rename 9 M » rename p M’. So by pbeta we have 
(A rename (ext eo) N) +: (rename po M) ® 
(rename (ext oe) N) [ rename pe M ]. However, to 
conclude we instead need parallel reduction to rename p 
(N [ M ]). But thankfully, renaming and substitution 
commute with one another. 


With the par-rename lemma in hand, it is straightforward to 
show that extending substitutions preserves the pointwise paral- 
lel reduction relation. 


par-subst-exts : V{T A} {o t : Subst T A} 
> par-subst o T 


> V{B} > par-subst (exts o {B = B}) (exts T) 
par-subst-exts s {x = Z} = pvar 
par-subst-exts s {x = S x} = par-rename s 


The next lemma that we need for proving that substitution re- 
spects parallel reduction is the following which states that simul- 
taneous substitution commutes with single substitution. We im- 
port this lemma from Chapter Substitution and restate it below. 


subst-commute : V{T A}{N : F , x F «}{M : TF & x}{o : Subst F A } 
~ subst (exts o) N [ subst o M ] = subst o (N [ M ]) 
subst-commute {N = N} = plfa.part2.Substitution.subst-commute {N = h 


We are ready to prove that substitution respects parallel reduc- 
tion. 


subst-par : V{T A A} {o t : Subst FT A} {MM’ : FT + A} 
> par-substo tT > M=aM’ 
> subst o M = subst Tt M’ 
subst-par {Ff} {A} {A} {o} {t} {> x} s pvar =s5 
subst-par {[} {A} {A} {o} {t} {X N} s (pabs p) = 
pabs (subst-par {o = exts o} {t = exts T} 
(A {A}{x} > par-subst-exts s {x = x}) p) 
subst-par {[} {A} {x} {o} {t} {L - M} s (papp pi pz) = 
papp (subst-par s pi) (subst-par s pz) 
subst-par {[} {A} {x} {o} {t} {(X N) - M} s (pbeta{N’ = N’}{M’ = M’} 
with pbeta (subst-par{o = exts o}{t = exts T}{M = N} 
(A{A}{x} > par-subst-exts s {x = x}) pi) 
(subst-par {o = o} § pz) 
... | G rewrite subst-commute{N = N’}{M = M’}{o = Tt} =G 


We proceed by induction on M > M’. 


Suppose x » x. Weconclude that o x > 1 x using the 
premise par-subst o t. 


Suppose A N » A N’ because N & N’. To use the in- 
duction hypothesis, we need par-subst (exts 0) 
(exts t), which we obtain by par-subst-exts. So we 
have subst (exts o) N ® subst (exts tT) N’ 
and conclude by rule pabs. 


Suppose L - MS L’ - M’ because L » L’ and M » 
M'. By the induction hypothesis we have subst o L 9 
subst t L’ and subst o M ® subst t M’, so we 
conclude by rule papp. 


Suppose (AN) -M S® N’ [ M’ ] because N 3 N’ 
and M » M’. Again we obtain par-subst (exts o) 
(exts t) by par-subst-exts. So by the induction hy- 


pothesis, we have subst (exts o) N ® subst 
(exts t) N’ and subst o M ® subst t M’. Then 
by rule pbeta, we have parallel reduction to subst 
(exts t) N’ [ subst t M’_ ]. Substitution commutes 
with itself in the following sense. For any o, N, and M, we 
have 


(subst (exts o) N) [ subst o M ] = subst 
o (N [M ]) 


So we have parallel reduction to subst t (N’ [ M’ 
]). 


Of course, if M > M’, then subst-zero M pointwise parallel 
reduces to subst-zero M’. 


par-subst-zero : V{T}{A}{MM’ : TF A} 
-~MsaM 


> par-subst (subst-zero M) (subst-zero M’ ) 
par-subst-zero {M} {M’} p {A} {Z} =p 
par-subst-zero {M} {M’} p {A} {S x} = pvar 


We conclude this section with the desired corollary, that substi- 
tution respects parallel reduction. 


sub-par : V{T AB} {NN’ :F , At B} {MM : FT + A} 
>N=N 


-N[M]>5N° [WM ] 
sub-par pn pm = subst-par (par-subst-zero pm) pn 


Parallel reduction satisfies the diamond property 


The heart of the confluence proof is made of stone, or rather, of 
diamond! We show that parallel reduction satisfies the diamond 
property: thatif M > Nand M 3 N’, then N > Land N’ & 
L for some L. The typical proof is an induction on M > N and 
M > N’ so that every possible pair gives rise to a witness L 
given by performing enough beta reductions in parallel. 


However, a simpler approach is to perform as many beta reduc- 
tions in parallel as possible on M, say M *, and then show that N 
also parallel reduces to M *. This is the idea of Takahashi’s com- 
plete development. The desired property may be illustrated as 


where downward lines are instances of >, so we call it the trian- 
gle property. 


Wow Wo Wo 


par-triangle : V {f A} {MN : FF A} 
-Me2=N 
-N=M*t 

par-triangle pvar 

par-triangle (pabs p) pabs (par-triangle p) 

par-triangle (pbeta pl p2) = sub-par (par-triangle pl) (par-triangle 

par-triangle (papp {L = X _ } (pabs pl) p2) = 
pbeta (par-triangle pl) (par-triangle p2) 

par-triangle (papp {L = ~ } pl p2) = papp (par-triangle pl) (par- 

par-triangle (papp {L = 


pvar 


- } pl p2) = papp (par-triangle pl) (par- 


The proof of the triangle property is an induction on M > N. 


* Suppose x § x. Clearly x * = x,so x 9 x *. 


* Suppose A M > A _N. By the induction hypothesis we 
have N » M “and by definition (A M) * = A (M *), 


so we conclude that A N 3 A (M *),. 


Suppose (A N) - M > N’ [ M’ ]. By the induction 
hypothesis, we have N’ > N * and M’ & M *, Since 
substitution respects parallel reduction, it follows that N’ 
[ M’ ] > N* [ M * ], but the right hand side is ex- 
actly ((A N) - M) *,hence N’ [ M’ ] ® ((A N) 
M) *. 


Suppose (A L) - MS (A L’) - M’. By the induction 
hypothesis we have L’ S L *and M’ & M *; by defini- 
tion ((A L) - M) * =L* [ M * J. It follows (A L 
') > M > L* EM? ]. 


Suppose x - M > x - M’. By the induction hypothesis 
we have M’ > M *and x > x *sothat x - M’ > x 

M *. The remaining case is proved in the same way, so 
we ignore it. (As there is currently no way in Agda to ex- 
pand the catch-all pattern in the definition of _* for us be- 
fore checking the right-hand side, we have to write down 
the remaining case explicitly.) 


The diamond property then follows by halving the diamond into 
two triangles. 


That is, the diamond property is proved by applying the triangle 
property on each side with the same confluent term ™M *. 


par-diamond : V{T A} {MN N’ : F - A} 
»>Me-=N 
>MaN’ 


> [LET FA] (NL) x (N’ sL) 
par-diamond {M = M} pl p2 = ( M* , ( par-triangle pl , par-triangle 


This step is optional, though, in the presence of triangle prop- 


erty. 
Exercise (practice) 


* Prove the diamond property par-diamond directly by in- 
ductionon M 5 Nand M > N’. 


Draw pictures that represent the proofs of each of the six 
cases in the direct proof of par-diamond. The pictures 
should consist of nodes and directed edges, where each 
node is labeled with a term and each edge represents par- 
allel reduction. 


Proof of confluence for parallel reduction 


As promised at the beginning, the proof that parallel reduction is 
confluent is easy now that we know it satisfies the triangle prop- 
erty. We just need to prove the strip lemma, which states that if 
M > Nand M >* N’,then N >* Land N’ > 1 forsome L. 
The following diagram illustrates the strip lemma 


where downward lines are instances of > or >*, depending on 
how they are marked. 


The proof of the strip lemma is a straightforward induction on M 
=>* N’, using the triangle property in the induction step. 


strip : V{T A} {MN N’ : T + A} 
->M=N 


SED LEPEA] (N=*L) x (N= L) 
strip{l }{A}{M}{N}{N°} mn ( 
strip{l }{A}{M}{N}{N7} mn ( 

with strip (par-triangle 

: ) 


} (bE, (UW, n't! , {( N >( par-triangle mn ) ll' , 


The proof of confluence for parallel reduction is now proved by 


induction on the sequence M * N, using the above lemma in 
the induction step. 


par-confluence : V{T A} {L Mi M2 : T + A} 
> L =* M 


> XY[ NETEA] (M 3* N) x (M2 =* N) 
par-confluence {[}{A}{L}{.L}{N} (L #) L=*N=(N, ( L=*N,Ne#) ) 
par-confluence {[}{A}{L}{Mi’}{M2} (L 3( L=Mi ) Mis*Mi’) L=*M2 
with strip L=Mi L=*M2 
| ( N, ( Mi=*N , M2=N ) ) 
with par-confluence Mi=*Mi’ Mi=*N 
| (N°, ( Mi’s*N’ , Ne*N’ ) ) = 
(No, ( Mi’=*N’ , (M2 3( M2=N ) No*N’) ) ) 


The step case may be illustrated as follows: 


where downward lines are instances of > or 4*, depending on 
how they are marked. Here (a) holds by strip and (b) 
holds by induction. 


Proof of confluence for reduction 


Confluence of reduction is a corollary of confluence for parallel 
reduction. From L —>» Mi and L —~» Mz we have L >* My 
and L »* M2 by betas-pars. Then by confluence we obtain 
some L such that My 5* Nand M2 * N, from which we con- 
clude that M1 —» Nand Mz —» Nby pars-betas. 


confluence : V{fT A} {L Mi Mz : T - A} 
>o>bL— M 


> XY[NEPFEA ] (Mi — N) x (M2 — N) 
confluence L»M1 L»M2 
with par-confluence (betas-pars L»Mi) (betas-pars L»Mz2) 
| ( N, ( MiaN , M2aeN ) ) = 
( N , ( pars-betas Mi=N , pars-betas M2=N ) }) 


Notes 


Broadly speaking, this proof of confluence, based on parallel re- 
duction, is due to W. Tait and P. Martin-Lof (see Barendregt 
1984, Section 3.2). Details of the mechanization come from sev- 
eral sources. The subst-par lemma is the “strong substitutiv- 
ity” lemma of Shafer, Tebbi, and Smolka (ITP 2015). The proofs 
of par-triangle, strip, and par-confluence are based 
on the notion of complete development by Takahashi (1995) and 
Pfenning’s 1992 technical report about the Church-Rosser theo- 
rem. In addition, we consulted Nipkow and Berghofer’s mecha- 
nization in Isabelle, which is based on an earlier article by Nip- 
kow (JAR 1996). 


Unicode 


This chapter uses the following unicode: 


> U+21DB RIGHTWARDS TRIPLE ARROW (\r== or 


\Rrightarrow) 
* U+207A SUPERSCRIPT PLUS SIGN (\*+) 


BigStep: Big-step semantics of untyped 
lambda calculus 


module plfa.part2.BigStep where 


Introduction 


The call-by-name evaluation strategy is a deterministic method 
for computing the value of a program in the lambda calculus. 
That is, call-by-name produces a value if and only if beta reduc- 
tion can reduce the program to a lambda abstraction. In this 
chapter we define call-by-name evaluation and prove the forward 
direction of this if-and-only-if. The backward direction is tradi- 
tionally proved via Curry-Feys standardisation, which is quite 
complex. We give a sketch of that proof, due to Plotkin, but post- 
pone the proof in Agda until after we have developed a denota- 
tional semantics for the lambda calculus, at which point the 
proof is an easy corollary of properties of the denotational se- 
mantics. 


We present the call-by-name strategy as a relation between an in- 
put term and an output value. Such a relation is often called a 
big-step semantics, written M J Vv, as it relates the input term M 
directly to the final result Vv, in contrast to the small-step reduc- 
tion relation, M —> M’, that maps M to another term ™M’ in 
which a single sub-computation has been completed. 


Imports 


open import Relation.Binary.PropositionalEquality 


using ( = ; refl; trans; sym; cong-app) 
open import Data.Product using (_x ; 2; X-syntax; 4; d-syntax; proji 
renaming (_, to (, _)) 


open import Function using (_°_) 


open import plfa.part2.Untyped 
using (Context; FF; 3; *3 @ ,;2;S5 5; ;#;%3 °;3 


subst; subst-zero; exts; rename; B; &1; &2; €; —>; —-; —3( 


—-trans; appL-cong) 
open import plfa.part2.Substitution using (Subst; ids) 


Environments 


To handle variables and function applications, there is the choice 
between using substitution, as in —-, or to use an environment. 
An environment in call-by-name is a map from variables to clo- 
sures, that is, to terms paired with their environments. We 
choose to use environments instead of substitution because the 
point of the call-by-name strategy is to be closer to an implemen- 
tation of the language. Also, the denotational semantics intro- 
duced in later chapters uses environments and the proof of ade- 
quacy is made easier by aligning these choices. 


We define environments and closures as follows. 


ClosEnv : Context - Set 


data Clos : Set where 
clos : V{—f} ~- (Mi: Ff & x) ~ ClosEnv F = Clos 


ClosEnv Fr = V (x : fF 3 x«) - Clos 


As usual, we have the empty environment, and we can extend an 
environment. 


@' : ClosEnv 2 


> ClosEnv T = Clos = ClosEnv (fT , x) 
Cc 
)=yxX 


Big-step evaluation 


The big-step semantics is represented as a ternary relation, writ- 
ten y -F M J v, where y is the environment, M is the input 
term, and V is the result value. A value is a closure whose term is 
a lambda abstraction. 


data Fu _: V{f} > ClosEnv F > (FT # x*) > Clos > Set where 


u-var : V{P}{y : ClosEnv F}{x : F 3 x}{A}{6 : ClosEnv A}{M : AF 4 
> yx =clos M6 


u-lam : V{T}{y : ClosEnv F}{M: TF , * F x} 
>vytEXMszs clos (XM) y 


u-app : V{P}{y : ClosEnv F}{L M: F + x}{A}{6 : ClosEnv A}{N: A, 
>vybFLuiclos (XN) 6 >= (68,' closMy)FNuV 


* The J-—var rule evaluates a variable by finding the associ- 
ated closure in the environment and then evaluating the 
closure. 


The J-lam rule turns a lambda abstraction into a closure 
by packaging it up with its environment. 


* The J-app rule performs function application by first 
evaluating the term L in operator position. If that pro- 
duces a closure containing a lambda abstraction A N, then 
we evaluate the body N in an environment extended with 
the argument M. Note that M is not evaluated in rule J- 
app because this is call-by-name and not call-by-value. 


Exercise big-step-—eg (practice) 


Show that (A A #1) + ((A #0 + #0) + A #0; # 
0) ) terminates under big-step call-by-name evaluation. 


-- Your code goes here 


The big-step semantics is deterministic 


If the big-step relation evaluates a term ™ to both v and v’, 
then v and v’ must be identical. In other words, the call-by- 


name relation is a partial function. The proof is a straightforward 
induction on the two big-step derivations. 


u-determ : V{T}{y : ClosEnv F}{M : F + «}{V V' : Clos} 
->VFMuVoyrFMi V' 
-VeV' 
u-determ (u-var eql mc) (4-var eq2 mc') 
with trans (sym eql) eq2 
| refl = u-determ mc mc' 
u-determ u-lam u-lam = refl 
u-determ (s-app mc mci) (4-app mc' mc'') 
with u-determ mc mc' 
... | refl = u-determ mci mc'' 


Big-step evaluation implies beta reduction to a 
lambda 


If big-step evaluation produces a value, then the input term can 
reduce to a lambda abstraction by beta reduction: 


@' tmMJd clos (AN’) 6 


-T[_NEDB, *KEWw] (MAN) 


The proof is by induction on the big-step derivation. As is often 
necessary, one must generalize the statement to get the induction 
to go through. In the case for !-—app (function application), the 
argument is added to the environment, so the environment be- 
comes non-empty. The corresponding ( reduction substitutes the 
argument into the body of the lambda abstraction. So we gener- 
alize the lemma to allow an arbitrary environment y and we add 
a premise that relates the environment y to an equivalent substi- 
tution o. 


The case for J—app also requires that we strengthen the conclu- 
sion. In the case for /-app we have y F L ! clos (A N) 6 
and the induction hypothesis gives us L —~» A N’, but we need 
to know that N and N’ are equivalent. In particular, that N’ = 
subst t N where t is the substitution that is equivalent to 6. 
Therefore we expand the conclusion of the statement, stating 
that the results are equivalent. 


We make the two notions of equivalence precise by defining the 
following two mutually-recursive predicates V ~ Mand y *e 
oO. 


uv 


: Clos = (@ F x) > Set 
_ : V{T} > ClosEnv FT - Subst T @ > Set 


u 
o 


(clos {f} My) = N=2[ o € Subst Ff @ ] y =e o x (N = Subst o M) 


VY =e 6 = VX > (y X) = (60 x) 


We can now state the main lemma: 


If yy MJUV and y *%e o, 
then subst o M-—-~* N and Vx N~ for some N. 


Before starting the proof, we establish a couple lemmas about 
equivalent environments and substitutions. 


The empty environment is equivalent to the identity substitution 
ids, which we import from Chapter Substitution. 


=e-id : @' =e ids 
=e-id () 


Of course, applying the identity substitution to a term returns the 
same term. 


sub-id : V{T} {A} {M : TF + A} > subst ids M=M 
sub-id = plfa.part2.Substitution.sub-id 


We define an auxiliary function for extending a substitution. 


ext-subst : V{T A} - Subst FT A> AE x > Subst (FT , x) A 
ext-subst{T}{A} o N {A} = subst (subst-zero N) o exts o 


The next lemma we need to prove states that if you start with an 
equivalent environment and substitution y ~e o, extending 
them with an equivalent closure and term V ~ N produces an 
equivalent environment and substitution: (y ,' V) *e (ext- 
subst o N), or equivalently, (y ,' V) x »* (ext-subst 


o N) x for any variable x. The proof will be by induction on x 
and for the induction step we need the following lemma, which 
states that applying the composition of exts o and subst- 
zero to S x is the same as just o x, which is a corollary of a 
theorem in Chapter Substitution. 


subst-zero-exts : V{T A}{o : Subst F A}{B}{M : At B}{x : TF 5 
~ (subst (subst-zero M) © exts o) (S x) =o x 
subst-zero-exts {f}{A}{o}{B}{M}{x} = 
cong-app (plfa.part2.Substitution.subst-zero-exts-cons{o = 


So the proof of ~e-ext is as follows. 


=e-ext : V {fT} {y : ClosEnv [} {o : Subst F o} {V} {N: OE x 
> VF 0 - VEN 


= (y ,' V) =e (ext-subst o N) 


=e-ext {fT} {y} {o} {V} {N} y=eo VEN Z = VEN 
=e-ext {T} {y} {o} {V} {N} y=eo V=N (S x) 
rewrite subst-zero-exts {o = o}{M = N}{x} = y=eo xX 


We proceed by induction on the input variable. 


* If itis Z, then we immediately conclude using the premise 
V * N. 


- If it is S x, then we rewrite using the subst-zero- 
exts lemma and use the premise y ~e o to conclude. 


To prove the main lemma, we need another technical lemma 
about substitution. Applying one substitution after another is the 
same as composing the two substitutions and then applying 
them. 


sub-sub : V{T A X}{A}{M : FT F A} {01 : Subst F A}{oz2 : Subst 
> subst o2 (subst o1 M) = subst (Subst 62 © o1) M 
sub-sub {M = M} = plfa.part2.Substitution.sub-sub {M = M} 


We arrive at the main lemma: if M big steps to a closure V in en- 
vironment y, andif y ~e o, then subst o M reduces to some 
term N that is equivalent to v. We describe the proof below. 


x} 


A x} 


to—ex= : V{IT}{y : ClosEnv [}{o : Subst F o}{M : [T + x}{V : Clos} 
-VYFMuVvV => ye oO 
>~X[NE@tx* ] (subst oM—N) xVEN 
Jo—»x= {fy = y} (u-var{x = x} yx=L6 6HLUV) y=eo 
with y x | yeo x | yx=L6 
... | closL 6 | (tT, ( 6%et , ox=tL ) ) | refl 
with i+-»x={o = tT} 6ELUV 6=eT 
|} ( N, ( TL-N , VEN ) ) rewrite ox=tL = 
( N, ( tTL-N , VaN ) ) 
to—»x= {o = o} {V = clos (A N) y} (u-lam) y=eo = 
{ subst o (XN) , ( subst o (AN) ©, (6, ( yeeo , refl ) ) ) 
to—»x={T}{y} {o = o} {L - M} {V} (u-app {N = N} LuAN6 NuV) y=eo 
with ss—-x={o = 6} LUAN5 y=eo 
|} ( — , ( OL-—»ATN , ( tT, ( 6%et , SATN ) ) ) ) rewrite =XTN 
with i+—-x= {o = ext-subst t (subst o M)} NuV 
(A X > =e-ext{o = tT} b=eT ( O , ( yeeo , refl ) ) x) 
| B{@}{subst (exts Tt) N}{subst o M} 
| ( N'., ( —N', VeN' ) ) | ATNeoM-> 
rewrite sub-sub{M = N}{o1 = exts t}{o2 = subst-zero (subst c 
let rs = (X subst (exts tT) N) + subst o M —( XTN:oM—=> ) —h 
let g = —»-trans (appL-cong oL—»ATN) rs in 
(N', (g, VEN' ) ) 


The proof is by induction on y - M J v. We have three cases 
to consider. 


* Case J-var. So we have y x = clos L 6and 6 FL 
J v. We need to show that subst o (* x) —~» Nand 
Vv x Nforsome N. The premise y ~e otells us that y x 
x oO x, SO clos L 6 * o x. By the definition of ~, 
there exists a t such that 6 xe tand o x = subst 1 
L. Using 6 F L J vand 6 *¢ 1, the induction hypoth- 
esis gives us subst t L —» Nand V * N forsome N. 
So we have shown that subst o x —» Nand V ~ N 
for some N. 


Case J-lam. We immediately have subst o (A N) —> 
subst o (A N) and clos (subst o (A N)) vy * 
subst o (A N). 


Case J-app. Using y | L J! clos (A N) 6and y *e 
o, the induction hypothesis gives us 


subst o L —~ A subst (exts Tt) N 
(1) 


and 6 ~e t forsome t. From y*eo we have clos M vy 
x subst o M. Then with (6 ,' clos My) FN J 
V, the induction hypothesis gives us V ~ N' and 


subst (subst (subst-zero (subst o M)) ° 
(exts tT)) N—N! (2) 


Meanwhile, by 8, we have 


(A subst (exts 1) N) +: subst o M 
—> subst (subst-zero (subst o M)) (subst 
(exts tT) N) 


which is the same as the following, by sub-sub. 


(A subst (exts 1) N) + subst o M 
—> subst (subst (subst-zero (subst o M)) ° 
exts Tt) N (3) 


Using (3) and (2) we have 


(A subst (exts t) N) + subst o M — N'! 
(4) 


From (1) we have 


subst o L - subst o M — (A subst (exts 
tT) N) - subst oM 


which we combine with (4) to conclude that 
subst o L - subst o M-—~ N'! 


With the main lemma complete, we establish the forward direc- 
tion of the equivalence between the big-step semantics and beta 
reduction. 


cbn-reduce : V{M : @F «}{A}{6 : ClosEnv A}{N’ : A , * F x} 
> @' t-Mu4 clos (XN’) 6 


~Y[_NEB,xEx* |] (MXN) 
cbn-reduce {M}{A}{6}{N’} Muc 
with i+—-x={o = ids} Muc =e-id 
|} (N, (rs ,{o, (h, eq2 ) ) ) ) rewrite sub-id{M = M} | « 
( subst (exts o) N’ , rs ) 


Exercise big-alt-implies-—multi (practice) 


Formulate an alternative big-step semantics, of the form M |! N, 
for call-by-name that uses substitution instead of environments. 
That is, the analogue of the application rule !-—app should per- 
form substitution, asin N [ M ], instead of extending the envi- 
ronment with M. Prove that M 4 Nimplies M —> N. 


-- Your code goes here 


Beta reduction to a lambda implies big-step evalua- 
tion 


The proof of the backward direction, that beta reduction to a 
lambda implies that the call-by-name semantics produces a re- 
sult, is more difficult to prove. The difficulty stems from reduc- 
tion proceeding underneath lambda abstractions via the Z rule. 
The call-by-name semantics does not reduce under lambda, so a 
straightforward proof by induction on the reduction sequence is 
impossible. In the article Call-by-name, call-by-value, and the i- 
calculus, Plotkin proves the theorem in two steps, using two aux- 
iliary reduction relations. The first step uses a classic technique 
called Curry-Feys standardisation. It relies on the notion of stan- 
dard reduction sequence, which acts as a half-way point between 
full beta reduction and call-by-name by expanding call-by-name 
to also include reduction underneath lambda. Plotkin proves that 
M reduces to Lif and only if Mis related to L by a standard re- 
duction sequence. 


Theorem 1 (Standardisation) 
“M —» L° if and only if “M goes to “L° via a 
standard reduction sequence. 


Plotkin then introduces left reduction, a small-step version of call- 
by-name and uses the above theorem to prove that beta reduc- 
tion and left reduction are equivalent in the following sense. 


Corollary 1 
“M —» AN if and only if “M goes to “A N’-, 
for some “N’°, by left reduction. 


The second step of the proof connects left reduction to call-by- 
name evaluation. 


Theorem 2 
“M left reduces to “A N if and only if “FM J 
AN. 


(Plotkin’s call-by-name evaluator uses substitution instead of en- 
vironments, which explains why the environment is omitted in 
t+ mM J A Nin the above theorem statement.) 


Putting Corollary 1 and Theorem 2 together, Plotkin proves that 
call-by-name evaluation is equivalent to beta reduction. 


Corollary 2 
“M—» AN if and only if ~F MYAN'’* for some 
see 


Plotkin also proves an analogous result for the A, calculus, relat- 
ing it to call-by-value evaluation. For a nice exposition of that 
proof, we recommend Chapter 5 of Semantics Engineering with PLT 
Redex by Felleisen, Findler, and Flatt. 


Instead of proving the backwards direction via standardisation, 
as sketched above, we defer the proof until after we define a de- 
notational semantics for the lambda calculus, at which point the 
proof of the backwards direction will fall out as a corollary to the 
soundness and adequacy of the denotational semantics. 


Unicode 


This chapter uses the following unicode: 


x U+2248 ALMOST EQUAL TO (\~~ or \approx) 

e U+2091 LATIN SUBSCRIPT SMALL LETTER E (\_e) 
fF U+22A2 RIGHT TACK (\|- or \vdash) 

al U+21DB DOWNWARDS DOUBLE ARROW (\d= or 
\Downarrow) 


Part 3: Denotational Seman- 
tics 


We have the empty environment, and we can extend an environ- 
ment.We can recover the previous environment from an ex- 
tended environment, and the last value. Putting them together 
again takes us back to where we started. 


Denotational: Denotational semantics of 
untyped lambda calculus 


module plfa.part3.Denotational where 


The lambda calculus is a language about functions, that is, map- 
pings from input to output. In computing we often think of such 
mappings as being carried out by a sequence of operations that 
transform an input into an output. But functions can also be rep- 
resented as data. For example, one can tabulate a function, that 
is, create a table where each row has two entries, an input and 
the corresponding output for the function. Function application 
is then the process of looking up the row for a given input and 
reading off the output. 


We shall create a semantics for the untyped lambda calculus 
based on this idea of functions-as-tables. However, there are two 
difficulties that arise. First, functions often have an infinite do- 
main, so it would seem that we would need infinitely long tables 
to represent functions. Second, in the lambda calculus, functions 
can be applied to functions. They can even be applied to them- 
selves! So it would seem that the tables would contain cycles. 
One might start to worry that advanced techniques are necessary 
to address these issues, but fortunately this is not the case! 


The first problem, of functions with infinite domains, is solved by 
observing that in the execution of a terminating program, each 
lambda abstraction will only be applied to a finite number of dis- 
tinct arguments. (We come back later to discuss diverging pro- 
grams.) This observation is another way of looking at Dana 
Scott’s insight that only continuous functions are needed to 
model the lambda calculus. 


The second problem, that of self-application, is solved by relax- 
ing the way in which we lookup an argument in a function’s ta- 
ble. Naively, one would look in the table for a row in which the 
input entry exactly matches the argument. In the case of self-ap- 
plication, this would require the table to contain a copy of itself. 
Impossible! (At least, it is impossible if we want to build tables 
using inductive data type definitions, which indeed we do.) In- 
stead it is sufficient to find an input such that every row of the 
input appears as a row of the argument (that is, the input is a 
subset of the argument). In the case of self-application, the table 
only needs to contain a smaller copy of itself, which is fine. 


With these two observations in hand, it is straightforward to 
write down a denotational semantics of the lambda calculus. 


Imports 


open import Agda.Primitive using (lzero; lsuc) 

open import Data.Nat using (N; zero; suc) 

open import Data.Product using (_x ; 2; =-syntax; 4; d-syntax; proji 
renaming (_,_ to (_, )) 


open import Data.Sum 


open import Data.Vec using (Vec; []; _=_) 
open import Relation.Binary.PropositionalEquality 
using (=; #; refl; sym; cong; congz2; cong-app) 


open import Relation.Nullary using (-_) 
open import Relation.Nullary.Negation using (contradiction) 
open import Function using ( ° ) 
open import plfa.part2.Untyped 
using (Context; *;} 3; 9; ,;Z3;S; Kj; 3 «343 
# ; twoc; ext; rename; exts; subst; subst-zero; [ ]) 
open import plfa.part2.Substitution using (Rename; extensionality; r 


Values 


The Value data type represents a finite portion of a function. 
We think of a value as a finite set of pairs that represent input- 
output mappings. The Value data type represents the set as a 
binary tree whose internal nodes are the union operator and 
whose leaves represent either a single mapping or the empty set. 


* The 1 value provides no information about the computa- 


tion. 


* A value of the form v » w isa single input-output map- 
ping, from input v to output w. 


* A value of the form v U wis a function that maps inputs 
to outputs according to both v and w. Think of it as tak- 
ing the union of the two sets. 


infixr 7 » 


infixl 5 u 


data Value : Set where 
il : Value 
» : Value - Value > Value 


_u_: Value > Value = Value 


The E relation adapts the familiar notion of subset to the Value 
data type. This relation plays the key role in enabling self-appli- 
cation. There are two rules that are specific to functions, E-fun 
and E-dist, which we discuss below. 


infix 4 _c_ 


data C : Value > Value > Set where 


C-bot : V{v} > Lev 


cC-conj-L : V {u v w} 


C-conj-R1l : V f{u v w} 
>UEV 


C-conj-R2 : V {u v w} 
>ucEw 


cC-dist : V{v w w’} 


The first five rules are straightforward. The rule E-fun captures 
when it is OK to match a higher-order argument v’' ~ w’ toa 
table entry whose input is v ~~ w. Considering a call to the 
higher-order argument. It is OK to pass a larger argument than 
expected, so v can be larger than v’. Also, it is OK to disregard 
some of the output, so w can be smaller than w’. The rule E- 
dist says that if you have two entries for the same input, then 
you can combine them into a single entry and joins the two out- 
puts. 


The E relation is reflexive. 


I 
ES 
Oo 
Hcy 
c- 

Aa 
KF 


refl {ve vi }= c-refl C-refl 
-refl {vi U v2} = E-conj-L (€-conj-R1 €-refl) (E-conj-R2 C-refl) 


In In In in 


The U operation is monotonic with respect to &, that is, given 
two larger values it produces a larger value. 


- (v Uw) 7 u ae 


The E-dist rule can be used to combine two entries even when 


the input values are not identical. One can first combine the two 
inputs using U and then apply the ©-dist rule to obtain the fol- 
lowing property. 


LibLi-dist : V{v v’ ww’ : Value} 
~-(vuUv’) » (wUwWw’) & (vew) U (v 
LibLI-dist = &-trans E-dist (WEL! (&-fun 
(E-fun (c- 


Phe) 
(€-conj-R1 €-refl) ©-refl) 
conj-R2 E-refl) C-refl)) 


If the join u U v is less than another value w, then both u and 
v are less than w. 


Lic-invL : V{u v w: Value} 
>uuvew 


>uEw 
UE-invL (E-conj-L ltl 1t2) = 1tl 
UE-invL (E-conj-R1l lt) = E-conj-R1l (UE-invL lt) 
UE-invL (E-conj-R2 lt) = E-conj-R2 (UE-invL lt) 
UE-invL (E-trans ltl 1t2) = &-trans (WE-invL 1t1l) 1t2 


Lic-invR : V{u v w: Value} 
>uuUvew 
>vEw 
UE-invR (E-conj-L ltl 1t2) = 1t2 
UE-invR (E-conj-R1l lt) = E-conj-R1l (UE-invR lt) 
UE-invR (E-conj-R2 lt) = E-conj-R2 (UE-invR lt) 
UE-invR (E-trans ltl 1t2) = €-trans (WE-invR ltl) 1t2 


Environments 


An environment gives meaning to the free variables in a term by 
mapping variables to values. 


Env : Context - Set 
Env F = V (x : T 3 «) = Value 


@: Env @ 


“@ () 


Infixt Sy 


init : V {f} > Env (FT , «) ~ Env& 
init y x = 


last : V {ff} > Env ([F , *) ~ Value 
last y=yZ 


init-last : V {f} = (y : Env (T_, *)) > y = (init y *, last y) 
init-last {[} y = extensionality lemma 
where lemma : V (x : TF ,*3*) > y xs (init y °, last y) x 
lemma Z refl 
lemma (S x) refl 


We extend the E relation point-wise to environments with the 
following definition. 


Env [ - Env Tf - Set 
V(x :T3*)s7yx£6x 


We define a bottom environment and a join operator on environ- 
ments, which takes the point-wise join of their values. 


“Lo: V {7} - Env 
pI ae 

uo: V {f} = Env? = Env > Enver 
(y U6) x=yxu6x 

The C-refl, E-conj-R1, and E-conj-R2 rules lift to envi- 
ronments. So the join of two environments y and 6 is greater 
than the first environment y or the second environment 6. 


‘c-refl : V {7} {fy : Envi} oy ‘cy 

‘c-refl {Tf} {y} x = G-refl {y x} 

C-env-conj-Rl_ : V {Tf} > (y : Env) > (6: Env) > y “E (y “U 6) 
C-env-conj-R1l y 6 x = E-conj-R1 £-refl 


C-env-conj-R2 : V {f} = (y : Env) - (6: EnvT) > 6 ‘© (y ‘LU 8) 


C-env-conj-R2 y 6 x = E-conj-R2 £-refl 


Denotational Semantics 


We define the semantics with a judgment of the form p F M } 
v, where op is the environment, M the program, and v isa result 
value. For readers familiar with big-step semantics, this notation 
will feel quite natural, but don’t let the similarity fool you. There 
are subtle but important differences! So here is the definition of 
the semantics, which we discuss in detail in the following para- 
graphs. 


IAT LX. 3S) 
data Fs : V{f} + Envf - ([T + x) > Value > Set where 


var : V {[} {y : Env T} {x} 


»-elim : V {fT} {y : Env T} {LM v w} 
L (ve w) 


»-intro : V {Tf} {y : Env FT} {N v w} 
>vy*,VENuUWwW 


l-intro : V {f} {y : Env FT} {M} 


U-intro : V {ff} {y : Env F} {M v w} 


Consider the rule for lambda abstractions, ~-intro. It says that 
a lambda abstraction results in a single-entry table that maps the 
input v to the output w, provided that evaluating the body in an 
environment with v bound to its parameter produces the output 
w. As a simple example of this rule, we can see that the identity 
function maps . to and also that itmaps Ll ~ lto L» 


: B@E* 
id=X #0 


denot-idl : V {fy} >yFidttlvrui 
denot-idl = »-intro var 


denot-id2 :V {fy} >yF ids (Le 1)» (Le LL) 
denot-id2 = »-intro var 


Of course, we will need tables with many rows to capture the 
meaning of lambda abstractions. These can be constructed using 
the U-intro rule. If term M (typically a lambda abstraction) 
can produce both tables v and w, then it produces the combined 
table v U w. One can take an operational view of the rules - 
intro and U-intro by imagining that when an interpreter 
first comes to a lambda abstraction, it pre-evaluates the function 
on a bunch of randomly chosen arguments, using many instances 
of the rule ~-intro, and then joins them into a big table using 
many instances of the rule U-intro. In the following we show 
that the identity function produces a table containing both of the 
previous results, L + Land (lL Ll) » (LY Ll). 


denot-id3 : “‘@Fidw (Le Ll) U (Le LL) & (Le 1) 
denot-id3 = Ll-intro denot-id1l denot-id2 


We most often think of the judgment y - M ! vas taking the 
environment y and term ™ as input, producing the result v. 
However, it is worth emphasizing that the semantics is a relation. 
The above results for the identity function show that the same 


environment and term can be mapped to different results. How- 
ever, the results for a given y and ™M are not too different, they 
are all finite approximations of the same function. Perhaps a bet- 
ter way of thinking about the judgment y - M 4! v is that the 
y, M, and v are all inputs and the semantics either confirms or 
denies whether v is an accurate partial description of the result 
of Min environment y. 


Next we consider the meaning of function application as given by 
the -elim rule. In the premise of the rule we have that L 
maps v to w. So if M produces v, then the application of L to 
M produces w. 


As an example of function application and the »-elim rule, we 
apply the identity function to itself. Indeed, we have both that © 
Fidt (uPu)& (uu) andalso O@ F id ! (ue 
u), SO we can apply the rule -elim. 


id-app-id : V {u : Value} = “@ + id: ids (u® u) 
id-app-id {u} = »-elim (»-intro var) (»-intro var) 


Next we revisit the Church numeral two: A f. A u. (f (f 
u) ). This function has two parameters: a function f£ and an arbi- 
trary value u, and it applies f twice. So f must map u to some 
value, which we’ll name v. Then for the second application, f 
must map v to some value. Let’s name it w. So the function’s ta- 
ble must include two entries, both u + vand v » w. For each 
application of the table, we extract the appropriate entry from it 
using the sub rule. In particular, we use the E-conj-R1 and E- 
conj-R2 to select u  vand v + w, respectively, from the ta- 
ble u * v U v » w. So the meaning of two‘ is that it takes 
this table and parameter u, and it returns w. Indeed we derive 
this as follows. 


denot-twoc : V{u vw: Value} - “@F twoc ! ((UBVUVeRW) PUP Y 
denot-twos {u}{v}{w} = 
b-intro (»-intro (»-elim (sub var 1t1) (»%-elim (sub var 1t2) var)) 
where ltl : VewEurevuiuvew 
ltl = C-conj-R2 (€-fun C-refl &-refl) 


Wt2:urnrveEurvuvew 


1t2 = (€-conj-R1 (€-fun €-refl £-refl)) 


Next we have a classic example of self application: A = Ax. (x 
x). The input value for x needs to be a table, and it needs to 
have an entry that maps a smaller version of itself, call it v, to 
some value w. So the input value looks like v -~ w U v. Of 
course, then the output of A is w. The derivation is given below. 
The first occurrences of x evaluates to v ~ w, the second oc- 
currence of x evaluates to v, and then the result of the applica- 
tion is w. 


A:@rx 
A = (XK (#0) : (#0)) 


denot-A : V {vw} - @FAL ((VeWHLUvV) & w) 
denot-A = »-intro (»-elim (sub var (E-conj-R1 
(sub var (E-conj-R2 


refl)) 
refl))) 


c- 
c- 
One might worry whether this semantics can deal with diverging 
programs. The 1 value and the L-intro rule provide a way to 
handle them. (The -intro rule is also what enables B reduc- 
tion on non-terminating arguments.) The classic © program is a 
particularly simple program that diverges. It applies A to itself. 
The semantics assigns to Q the meaning -t. There are several 
ways to derive this, we shall start with one that makes use of the 
U-intro rule. First, denot—A tells us that A evaluates to ((1 
— 1) U L) © L (choose vi = v2 = L). Next, A also evalu- 
atesto L + 1 by use of ~-introand l-introandto 1 by 
-intro. As we saw previously, whenever we can show that a 
program evaluates to two values, we can apply U-intro to join 
them together, so A evaluatesto (1 % L) U L. This matches 
the input of the first occurrence of A, so we can conclude that 
the result of the application is L. 


Q:OGrx 

= 2 oh 

denot-0 : “‘@FQ UL 

denot-Q = »-elim denot-A (U-intro (»-intro L-intro) L-intro) 


A shorter derivation of the same result is by just one use of the 


t-intro rule. 


denot-0' : @FQUL 
denot-Q' = L-intro 


Just because one can derive @ / M | 1 for some closed term 
M doesn’t mean that M necessarily diverges. There may be other 
derivations that conclude with M producing some more informa- 
tive value. However, if the only thing that a term evaluates to is 
L, then it indeed diverges. 


An attentive reader may have noticed a disconnect earlier in the 
way we planned to solve the self-application problem and the ac- 
tual -elim rule for application. We said at the beginning that 
we would relax the notion of table lookup, allowing an argument 
to match an input entry if the argument is equal or greater than 
the input entry. Instead, the ~-elim rule seems to require an 
exact match. However, because of the sub rule, application re- 
ally does allow larger arguments. 


b-elim2 : V {T} {y : Env T} {Mi M2 vi v2 v3} 
>VyEMi t (v1 & vs) 
> VEM2 1 v2 
2 V1 © V2 


> yk (Mi: Mz) U vs 
h-elim2 di dz lt = »-elim di (sub dz lt) 


Exercise denot—plus‘ (practice) 
What is a denotation for plus‘? That is, find a value v (other 
than L) such that @ - plus‘ | v. Also, give the proof of © 


F plus* 4 v for your choice of v. 


-- Your code goes here 


Denotations and denotational equality 


Next we define a notion of denotational equality based on the 
above semantics. Its statement makes use of an if-and-only-if, 


which we define as follows. 


_iff_ : Set > Set > Set 
P iff Q = (P > Q) x (Q = P) 


Another way to view the denotational semantics is as a function 
that maps a term to a relation from environments to values. That 
is, the denotation of a term is a relation from environments to val- 
ues. 


Denotation : Context - Seti 
Denotation T = (Env Tf - Value - Set) 


The following function & gives this alternative view of the se- 
mantics, which really just amounts to changing the order of the 


parameters. 


x) ~ Denotation F 


Qs 
= 
Il 
> 
< 
< 
L 
<o 
To4 
= i 
e 
< 


In general, two denotations are equal when they produce the 
same values in the same environment. 


infix 3 = 


_= : V {f} > (Denotation [) > (Denotation [) = Set 
(= {f} Di D2) = (y: EnvT) = (v:: Value) = Di y v iff D2 y v 


Denotational equality is an equivalence relation. 


=-refl : V {f : Context} - {M : Denotation I} 
-~M=M 
=-refl yv = ( (Ax 7x) , (Ax > x) ) 


=-sym : V {Ff : Context} - {MN : Denotation IT} 


=-sym eq y v = ( (projz (eq y v)) , (proj: (eq y v)) ) 


=-trans : V {f : Context} > {Mi Mz Ms : Denotation I} 
> Mi = M2 


> Mi = M3 
=-trans eql eq2 y v = ( (A z = proji (eq2 y v) (proji (eql y v) z)) 
(A z = projz (eql y v) (projz (eq2 y v) z)) 


Two terms M and N are denotational equal when their denota- 
tions are equal, that is, € M = & N. 


The following submodule introduces equational reasoning for the 
= relation. 


module =-Reasoning {f : Context} where 


infix 1 start_ 
infixr 2 =() =( )_ 


infix 31 


start_ : V {x y : Denotation I} 


-xX=Yy 
-xX=Yy 
start x=y = xey 


=(_) : V (x : Denotation Tl) f{y z : Denotation I} 


7 xX=Yy 
-~y=zZz 
> X= Z 
(x =( x=y ) y=z) = =-trans x=y y=z 
_=()  : V (x : Denotation [) {y : Denotation IT} 
>7xX=y 
-xX=Yy 
x =() x=y = xey 
Ss VY (x : Denotation IT) 
> xX = xX 
(xo) = =-refl 


Road map for the following chapters 


The subsequent chapters prove that the denotational semantics 
has several desirable properties. First, we prove that the seman- 
tics is compositional, i.e., that the denotation of a term is a func- 
tion of the denotations of its subterms. To do this we shall prove 
equations of the following shape. 


é€ (~ x) 
€ (A M) EM 
€ (M:N) = EM EN 


The compositionality property is not trivial because the seman- 
tics we have defined includes three rules that are not syntax di- 
rected: L-intro, U-intro, and sub. The above equations 
suggest that the denotational semantics can be defined as a re- 
cursive function, and indeed, we give such a definition and prove 
that it is equivalent to &. 


Next we investigate whether the denotational semantics and the 
reduction semantics are equivalent. Recall that the job of a lan- 
guage semantics is to describe the observable behavior of a given 
program M. For the lambda calculus there are several choices 
that one can make, but they usually boil down to a single bit of 
information: 


+ divergence: the program M executes forever. 
* termination: the program M halts. 


We can characterize divergence and termination in terms of re- 
duction. 


+ divergence: = (M —>» A N) for any term N. 
* termination: M —~ A N forsometerm N. 


We can also characterize divergence and termination using deno- 
tations. 


- divergence: - (© F M1 v' w) forany vand w. 
* termination: @ Fk M | v » wforsome vand w. 


Alternatively, we can use the denotation function @. 


+ divergence: - (€ M = & (A N)) foranyterm N. 


* termination: € M = & (A N) forsometerm N. 


So the question is whether the reduction semantics and denota- 
tional semantics are equivalent. 


(AN. M—~AN) iff (AN. €M= € (A N)) 


We address each direction of the equivalence in the second and 
third chapters. In the second chapter we prove that reduction to 
a lambda abstraction implies denotational equality to a lambda 
abstraction. This property is called the soundness in the literature. 


M—> AN implies €M= € (A N) 


In the third chapter we prove that denotational equality to a 
lambda abstraction implies reduction to a lambda abstraction. 
This property is called adequacy in the literature. 


€M=é (AN) implies M—~ AN’ for some N’ 


The fourth chapter applies the results of the three preceding 
chapters (compositionality, soundness, and adequacy) to prove 
that denotational equality implies a property called contextual 
equivalence. This property is important because it justifies the use 
of denotational equality in proving the correctness of program 
transformations such as performance optimizations. 


The proofs of all of these properties rely on some basic results 
about the denotational semantics, which we establish in the rest 
of this chapter. We start with some lemmas about renaming, 
which are quite similar to the renaming lemmas that we have 
seen in previous chapters. We conclude with a proof of an impor- 
tant inversion lemma for the less-than relation regarding func- 
tion values. 


Renaming preserves denotations 


We shall prove that renaming variables, and changing the envi- 
ronment accordingly, preserves the meaning of a term. We gener- 
alize the renaming lemma to allow the values in the new envi- 
ronment to be the same or larger than the original values. This 


generalization is useful in proving that reduction implies denota- 
tional equality. 


As before, we need an extension lemma to handle the case where 
we proceed underneath a lambda abstraction. Suppose that op is 
a renaming that maps variables in y into variables with equal or 
larger values in 6. This lemmas says that extending the renam- 
ing producing a renaming ext rthatmaps y , vto 6 , v. 


c: V {f Av} {y : EnvT} {6 : Env A} 
(op : Rename T A) 
y “& (6 © p) 


We proceed by cases on the de Bruijn index n. 


- If it is z, then we just need to show that v © v, which 
we have by E-refl. 


* If itis S n’, then the goal simplifiesto y n’ © 6 (pop n 
'), which is an instance of the premise. 


Now for the renaming lemma. Suppose we have a renaming that 
maps variables in y into variables with the same values in 6. If 
M results in v when evaluated in environment y, then applying 
the renaming to M produces a program that results in the same 
value v when evaluated in 6. 


rename-pres : V {f A v} {y : Env Tl} {6 : Env A} {M: FT + x} 
= (p : Rename [ A) 


> 6F (rename p M) i v 
rename-pres p lt (var {x = x} 
rename-pres p Lt (»-elim d di 

»-elim (rename-pres p lt d 
rename-pres p lt (»-intro d) = 

»-intro (rename-pres (ext p) (ext-E£ p lt) d) 
rename-pres p lt L-intro = L-intro 


sub var (lt x) 


)= 
)= 
) (rename-pres p lt di) 


rename-pres p lt (U-intro d di) = 

U-intro (rename-pres p lt d) (rename-pres p lt di) 
rename-pres p Lt (sub d lt’) = 

sub (rename-pres p lt d) lt’ 


The proof is by induction on the semantics of M. As you can see, 
all of the cases are trivial except the cases for variables and 
lambda. 


* For a variable x, we make use of the premise to show that 
y x E 6 (¢9 x). 


* For a lambda abstraction, the induction hypothesis re- 
quires us to extend the renaming. We do so, and use the 
ext—E lemma to show that the extended renaming maps 
variables to ones with equivalent values. 


Environment strengthening and identity renaming 


We shall need a corollary of the renaming lemma that says that 
replacing the environment with a larger one (a stronger one) 
does not change whether a term ™ results in particular value v. 
In particular, if y HK Mt! vand y © 6,then 6 - My v. 
What does this have to do with renaming? It’s renaming with the 
identity function. We apply the renaming lemma with the iden- 
tity renaming, which gives us 6 F rename (A {A} x > x) 
M 4 v, and then we apply the rename-id lemma to obtain 6 
FMIvyv. 


c-env : V {fT} fy : Env T} {6 : Env T} {M v} 


->6rFMuv 
E-env{l }{y}{6}{M}{v} d Ut 
with rename-pres{f }{P}{v}{y}{6}{M} (A {A} x > x) ltd 
| 6Fid[M]iv rewrite rename-id {[}{x}{M} = 
6brid[MJiv 


In the proof that substitution reflects denotations, in the case for 
lambda abstraction, we use a minor variation of C-env, in 
which just the last element of the environment gets larger. 


up-env : V {fT} {y : Env TF} {M v ur uz} 
>(y°, U.)rFMuv 


> (y°, Uz)rFMuv 
up-env d lt = E-env d (ext-le lt) 
where 
ext-le : V {y U1 U2} = Ur E u2 > (y *, U1) “E (Y *, U2) 
ext-le lt Z = lt 
ext-le lt (Sn) = E-refl 


Exercise denot-—church (recommended) 


Church numerals are more general than natural numbers in that 
they represent paths. A path consists of n edges and n + 1 ver- 
tices. We store the vertices in a vector of length n + 1 in re- 
verse order. The edges in the path map the ith vertex to the i + 
1 vertex. The following function D*suc (for denotation of suc- 
cessor) constructs a table whose entries are all the edges in the 
path. 


D*suc : (n : N) = Vec Value (suc n) > Value 
D*suc zero (a[0] :: []) =1 
D*suc (suc i) (a[fitl] :: afi] : ls) = a[i] » a[it+l] WU D*suc i (afi 


We use the following auxiliary function to obtain the last ele- 
ment of a non-empty vector. (This formulation is more conve- 
nient for our purposes than the one in the Agda standard li- 
brary.) 


vec-last : V{n : N} ~ Vec Value (suc n) > Value 
vec-last {0} (a: []) =a 
vec-last {suc n} (at: b :: ls) = vec-last (b !: ls) 


The function D° computes the denotation of the nth Church nu- 
meral for a given path. 


Dc : (n : N) = Vec Value (suc n) - Value 
De n (a[n] :: ls) = (D*suc n (a[n] :: ls)) & (vec-last (a[n] :: ls)) & 


* The Church numeral for 0 ignores its first argument and re- 


turns its second argument, so for the singleton path con- 
sisting of just a[0], its denotation is 


tt» a[0] » a[0] 


* The Church numeral for suc n takes two arguments: a 
successor function whose denotation is given by D*suc, 
and the start of the path (last of the vector). It returns the 
n + 1 vertex in the path. 


(D*suc (suc n) (a[ntl] <=: a[n] <=: ls)) & 
(vec-last (a[n] *: l1s)) * a[n+t1] 


The exercise is to prove that for any path 1s, the meaning of the 
Church numeral nis D° n ls. 


To facilitate talking about arbitrary Church numerals, the follow- 
ing church function builds the term for the nth Church nu- 
meral, using the auxiliary function apply-n. 


apply-n: (n:N) 3>2,%,x*E.eR 
apply-n zero = # 0 
apply-n (suc n) = #1: apply-nn 


church : (n: N) >@rF x 
church n = X X apply-n n 


Prove the following theorem. 


denot-church : V{in : N}{ls : Vec Value (suc n) } 
> ‘Ot church n ! Df n Is 


-- Your code goes here 


Inversion of the less-than relation for functions 


What can we deduce from knowing that a function v » w is 
less than some value u? What can we deduce about u? The an- 
swer to this question is called the inversion property of less-than 
for functions. This question is not easy to answer because of the 
E-dist rule, which relates a function on the left to a pair of 


functions on the right. So u may include several functions that, 
as a group, relate to v > w. Furthermore, because of the rules 
E-conj-R1 and E-conj-R2, there may be other values inside 
u, such as L, that have nothing to do with v ~ w. But in gen- 
eral, we can deduce that u includes a collection of functions 
where the join of their domains is less than v and the join of 
their codomains is greater than w. 


To precisely state and prove this inversion property, we need to 
define what it means for a value to include a collection of values. 
We also need to define how to compute the join of their domains 
and codomains. 


Value membership and inclusion 


Recall that we think of a value as a set of entries with the join 
operator v U w acting like set union. The function value v 
w and bottom value + constitute the two kinds of elements of 
the set. (In other contexts one can instead think of t as the 
empty set, but here we must think of it as an element.) We write 
u € vtosay that u isan element of v, as defined below. 


Intix Se 

_€ : Value > Value = Set 
uE€L=u=zEL 
uEVeW=UZEVRW 
u€(vuw) =uE€vuuew 


So we can represent a collection of values simply as a value. We 
write v © w to say that all the elements of v are alsoin w. 


UATLX’ By Je - 


_¢_: Value - Value - Set 
vcow=V{u} >u€veu€Ew 


The notions of membership and inclusion for values are closely 
related to the less-than relation. They are narrower relations in 
that they imply the less-than relation but not the other way 
around. 


Gc : V{u v : Value} 
-uUuEV 


>UEV 
Gc {.1} {1} refl = E-bot 


Gc {v » w} {v & w} refl = E-refl 
€-c {u} {v U w} (inji x) = E-conj-Rl (G+ x) 
€-c {u} {v U w} (inj2 y) = E-conj-R2 (EG y) 
Gc : V{u v : Value} 
>ucyv 
>UEV 
GE {1} s with s {1} refl 
... | X = E-bot 
GE {ue u’} s with s {ue u’} refl 
| xX = GE x 


Ge {fu U u’} Ss = E-conj-L (QE (A z > S (inji z))) (SE (Az 5S (ir 


We shall also need some inversion principles for value inclusion. 
If the union of u and v is included in w, then of course both u 
and v are each included in w. 


uic-inv : V{u v w: Value} 
~ (uulv) ow 


>ucw x vecw 
uc-inv uvww = ( (A Xx = uw (inji X)) , (A X > UW (inj2 x)) ) 


In our value representation, the function value v * w is both 
an element and also a singleton set. So if v ~ w is a subset of 
u, then v  w must bea member of u. 


>VerweEu 
HCE incl = incl refl 


Function values 


To identify collections of functions, we define the following two 


predicates. We write Fun uif u is a function value, that is, if u 
= v +» w for some values v and w. We write all-funs vif 
all the elements of v are functions. 


data Fun : Value > Set where 
fun : V{u v w} > u = (ve Ww) > Fun u 


all-funs : Value > Set 
all-funs v = V{u} > u € v = Fun u 


The value L is not a function. 


=—Funl : — (Fun 1) 
-—Funl (fun ()) 


In our values-as-sets representation, our sets always include at 
least one element. Thus, if all the elements are functions, there is 
at least one that is a function. 


all-funs€ : V{u} 
> all-funs u 
~ X[ v € Value ] Z[ w € Value ] veweEu 
all-funs€ {1} f with f {1} refl 
| fun () 
all-funs€ {v» w} f =(v,(w, refl ) ) 
all-funse€ {u Li u’} f 
with all-funs€ (A z 
| (v,(w,m) ) 


L 
~+t 


Domains and codomains 


Returning to our goal, the inversion principle for less-than a 
function, we want to show that v » w ©& u implies that u in- 
cludes a set of function values such that the join of their domains 
is less than v and the join of their codomains is greater than w. 


To this end we define the following Lldom and Llcod functions. 
Given some value u (that represents a set of entries), Lldom u 
returns the join of their domains and Llcod u returns the join of 
their codomains. 


| dom : (u': Value) > Value 

[dom it =1 

[dom (ve w) =v 

| dom (u U u’) =[ dom u U | dom u’ 


| cod : (u : Value) > Value 

L[eod L =L1 

| kod (ve w) =w 

| cod (u LU u’) =[ cod u U | cod u’ 


We need just one property each for Lldom and Llcod. Given a 
collection of functions represented by value u, and an entry v 
+ w © u, we know that v is included in the domain of u. 


»€-4d dom : V{u v w: Value} 
> all-funs u = (vew) Eu 
> v ¢| om u 
rEsq dom {1} fg () ue€v 
»€-d dom {v » w} fg refl u€v = u€v 
»€-d dom {u Ui u’} fg (inji veweu) u€v = 
let ih = »€3d dom (A z = fg (inji Z)) VvewEu in 
inji (ih u€v) 
»€-d dom {u LU u’} fg (inj2 veweu’) uév = 
let ih = »€3d dom (A z = fg (inj2 z)) vewEu’ in 
injz (ih u€v) 


Regarding Llcod, suppose we have a collection of functions rep- 
resented by u, but all of them are just copies of v ~~ w. Then 
the Llcod u is included in w. 


c+ jcode : V{u v w: Value} 
2-UuUEGVRW 
~|\cod ucw 
G+ |code {1} s refl with s {1} refl 
ve | 0) 
G+ |code {C » C’} s mwith s {C & C’} refl 


| refl =m 
Ge code {u U u’} s (inji x) = G&4\code (A {C} z > s (inj: z)) 
G+ |code {u U u’} Ss (inj2 y) = &+4 code (A {C} z > 5s (inj2 z)) 


With the Lldom and Llcod functions in hand, we can make pre- 
cise the conclusion of the inversion principle for functions, which 


x 
y 


we package into the following predicate named factor. We say 
that v ~ w factors uinto u’ if u’ isincludedin u,if u’ con- 
tains only functions, its domain is less than v, and its codomain 
is greater than w. 


factor : (u.: Value) = (u’ : Value) > (v : Value) ~ (w: Value) - Se 
factor uu’ v w= all-funs u’ x u’ Cu x [Mdomu’ Ev x weE|ce 


So the inversion principle for functions can be stated as 


veweEu 


> factor uu’ vw 


We prove the inversion principle for functions by induction on 
the derivation of the less-than relation. To make the induction 
hypothesis stronger, we broaden the premise v ~ w © uto ui 
E uz, and strengthen the conclusion to say that for every function 
value v ~ w © ui, we have that v » w factors uz into some 
value us. 


> Viv w} ~v? weEeEu- Xf us € Value ] factor u2 
u3 V Ww 


Inversion of less-than for functions, the case for E-trans 


The crux of the proof is the case for E-trans. 


(E-trans) 


By the induction hypothesis for u1 © u, we know that v ~ w 
factors u into u’, for some value u’, so we have all- 
funs u’ and u’ C€ u. By the induction hypothesis for u © 
uz, we know that forany v’ ~ w’ € u, v’ © w’ factors uz 
into us. With these facts in hand, we proceed by induction on u 


’ to prove that (LIdom u’) ~ (Lilcod u’) factors uz into 
ug. We discuss each case of the proof in the text below. 


sub-inv-trans : V{u’ u2 u : Value} 

> all-funs u’ - u’ Cu 

> (V{v’ wi} =v’ »w E€u- Xf us € Value ] factor uz uz v’ w’) 

+ X[ us € Value ] factor uz us (| dom u’) (|\cod u’) 
sub-inv-trans {1} {uz} {u} fu’ u’cu IH = 

contradiction (fu’ refl) 7Funl 
sub-inv-trans {u1’ » u2’} {u2} {u} fg u’cSu IH = IH (»S€ u’cu) 
sub-inv-trans {u1’ U u2’} {u2} {u} fg u’cu IH 

with Uc-inv u’Cu 

| ( ui’Gu , u2’Cu ) 


with sub-inv-trans {u1°} {u2} {u} (A {v’} z > fg (inji z)) ui’&u 
| sub-inv-trans {u2’} {u2} {u} (A {v’} z > fg (injz2 z)) u2’c 
| ( usi , ( fu21' , ( Uusigu2 , ( dusifdui’ , cui’Ecu3si ) ) ) ) 
| ( us2 , ( fu22' , ( us2fu2 , ( dus2Edu2’ , Cu1’Ecu3s2 ) ) ) ) = 
( (U31 Li Usz) , ( fuz” , ( U2’cu2 , 


( WEL dusiGdu1” du3zzEdu2’ , 
WEL cu1’&cus1 Cui’&cus2 ) ) ) ) 
where fuz’ : {v’ : Value} - v’ € uaa WU Vv’ € Uus2 > Fun v’ 
fu2’ {v’} (inji x) = fu21' x 
fu2" {v’} (inj2 y) = fu22' y 
u2’Ccuz : {C : Value} > C € u3s1 UC E usz2 = C E uz 


u2’Cu2 {C} (inji x) = u3s1Su2 xX 
u2’Cu2 {C} (inj2 y) = us2Gu2 y 
* Suppose u’ = LL. Then we have a contradiction because 


it is not the case that Fun L. 


Suppose u’ = ui’ * uz’. Then wu’ © uz’ © u and 
we can apply the premise (the induction hypothesis from 
u E— uz) to obtain that ui’ ~ ue’ factors uz into uz. 


This case is complete because Lldom u’ = wi’ and 
Llcod u’ = uz’. 
* Suppose u’ = ui’ U uz’. Then we have ui’ © uand 


u2' © u. We also have all-funs ui’ and all-funs 
uz’, SO we can apply the induction hypothesis for both u1 
' and uz’. So there exists values us3i and us32 such that 
(Lldom ui’) * (LIlcod ui’) factors u into ugi and 
(Lldom uz’) * (Lilcod uz’) factors u into us2. We 
will show that (LIdom u) ~*~ (Llcod u) factors u into 


u3i LI u32. So we need to show that 


Lldom (u3i U use) E Lidom (u1’ U ug’) 
Llcod (u1’ U uz’) E Lcod (us1 U usz) 


But those both follow directly from the factoring of u into 


ugi and ugz2, using the monotonicity of U with respect to 
c 


Inversion of less-than for functions 


We come to the proof of the main lemma concerning the inver- 
sion of less-than for functions. We show that if ui © uz, then 
for any v * w © ui, wecan factor uz into ug according to v 
‘+ w. We proceed by induction on the derivation of u1 © uz, 
and describe each case in the text after the Agda proof. 


sub-inv : V{ui u2 : Value} 
> U1 E U2 
- Vivwh >veweEu 
> X[ us € Value ] factor uz uz v w 
sub-inv {1} {uz} E-bot {v} {w} () 
sub-inv {U11 LU Ur2} {u2} (E-conj-L ltl 1t2) {v} {w} (inji x) 
sub-inv {U11 U Ur2} {u2} (E-conj-L ltl 1t2) {v} {w} (inj2 y) 
sub-inv {ui} {u21 U U22} (E-conj-Rl lt) {v} {w} m 
with sub-inv lt m 
| ( usi1 , ( fu31 , ( U3s1GU21 , ( domu3i&v , wecodus: ) ) ) ) 
( u3s1 , ( fusi , ( (A {w} z > inji (U31GU21 Z)) , 
( domu3si&v , wecodus: ) ) ) ) 
sub-inv {ui} {u21 U u22} (E-conj-R2 lt) {v} {w} m 
with sub-inv lt m 
( us2 , ( fusz , ( U3s2GU22 , ( domuszEv , wecodusz ) ) ) ) 
( us2 , ( fusz , ( (A {C} z= inj2 (U3s2GU22 Z)) , 
( domuszEv , wecodusz ) ) ) ) 
sub-inv {ui} {u2} (€-trans{v = u} urEu uEuz) {v} {w} vewEur 
with sub-inv ui&u vewEur 


ub-i 
ub-1 


Wo 
nn 


|} ( u’, ( fu’, ( u’Su , ( domu’fv , wecodu’ ) ) ) ) 
with sub-inv-trans {u’} fu’ u’Cu (sub-inv uEuz) 
| ( us , ( fus , ( usSu2 , ( domusEdomu’ , codu’Ecodus ) ) ) ) = 


( us , ( fus , ( usSu2 , ( E-trans domusEdomu’ domu’Ev , 
C-trans wecodu’ codu’Ecodus ) ) 
sub-inv {Ui1 © Ui2} {U21 » U22} (E-fun ltl 1t2) refl = 
( Uzi »& U2z2, ( (A {w} > fun) , ( (A {C} z > z) , ( ltl , 1t2 ) 


sub-inv {U21 » (U22 LI U23)} {U21 »& U22 LU U2i & U23} E-dist 
{.U21} {.(U22 LU U23)} refl = 
( Uzi » U2zz2 UE Uzi & U23a , ( fF, ( 3 ( E-conj-L cC-refl E-refl , 
where f : all-funs (U21 »% U22 LI U21 & U23) 

f (inji x) = fun x 
f (inj2 y) = fun y 
Q : (U21 » U22 U U2i& U23) © (U21 & U22 LI U2i & U23) 
g (inji x) = inji x 
g (inj2 y) = injz y 


Let v and w be arbitrary values. 


* Case E-bot. So u. = L. Wehave v © w é€ LL, but that 
is impossible. 


* Case E-conj-L. 


Given that v ~ w © ui U uyz, there are two subcases 
to consider. 


© Subcase v * w © un. We conclude by the induc- 
tion hypothesis for u11 © uz. 


© Subcase v * w © uz. We conclude by the induc- 
tion hypothesis for u1iz2 © uz. 


* Case E-conj-R1. 


Given that v ~ w ©€ ui, the induction hypothesis for u1 
E ua gives us that v ~ w factors u21 into ug: for some 
usi. To show that v »* w also factors u2i1 U uz22 into 
ugi, we just need to show that uszi © ua2i U uzz, but that 
follows directly from ugi © uai. 


* Case E-conj-R2. This case follows by reasoning similar 


to the case for E-conj-R1. 


Case E-trans. 


By the induction hypothesis for ui © u, we know that v 
+ w factors u into u’, for some value wu’, so we have 
all-funs u’ and u’ C€ u. By the induction hypothesis 
for u © uz, we know that for any v'’ ~ w’ € u, v' & 
w’ factors uz. Now we apply the lemma sub-inv-trans, 
which gives us some u3 such that (LIdom u’) © (LIcod 
u’) factors uz into u3. We show that v + w also factors 
uz into u3. From Lldom u3 © Lldom u’ and Lldom u’ 
C v, we have Lldom us © v. From w E Llcod u’ and 
Llcod u’ E Llcod us, we have w E Llcod us, and this 
case is complete. 


Case C-fun. 


ua1 © ust u12 © u22 


u1  ui2 © ua ? u22 


Given that v ~ w © ui * ui2, we have v = ui and 
w = ui2. We show that u11 © wiz factors us ~ u22 
into itself. We need to show that Lldom (u21 ~ wu22) E 
u11 and u1i2 © Lilcod (u21  uz2), but that is equivalent 
to our premises u21 © us: and uiz2 © uzz. 


Case E-dist. 


ua1 > (u22 U ua3) © (ua1  u22) U (ua © ua3) 


Given that v ~ w © ua * (u22 U u23), we have v = 
u21 and w = wu22 U ua3. We show that u21 ~ (u22 U 
u23) factors (u21 ~ u22) U (u21  u23) into itself. We 


have ua U ua © ua, and also u22 U u2z3 © uz U 
uz3, so the proof is complete. 


We conclude this section with two corollaries of the sub-inv 
lemma. First, we have the following property that is convenient 
to use in later proofs. We specialize the premise to just v > w 
E ui and we modify the conclusion to say that for every v' 
w’ © uz, wehave v’ E v. 


sub-inv-fun : V{v w ua : Value} 
> (vew) Eu 
> X[ uz € Value ] all-funs uz x u2 u 
x (V{iv’ w} = (v’ ew’) € u2 Oo 
sub-inv-fun{v}{w}{ui} abc 
with sub-inv abc {v}{w} refl 
| ( u2, ( Ff, ( u2cui , ( db, cc ))))= 
(u2, ( f , ( u2cui , (G,cc))) ) 
where G : V{D E} - (De® E) €uz2 -DEV 
G{D}{E} m = E-trans (Gee (Ke-d dom f m)) db 


< In 


ul 
Cv) x wE&|{cod u2 


The second corollary is the inversion rule that one would expect 
for less-than with functions on the left and right-hand sides. 


Hon-inv : Viv wv’ w'} 
> VePWEVW BW 
->V EvxweEw 
Hon -inv{v}{w}{v’ }{w’} ut 
with sub-inv-fun lt 
. | (PF, ( f, ( Pev34 , ( itl, t2))) ) 
with all-funse€ f 
. | (u, ( u’, uu’ ) ) 
with Pev34 usu’ & 
... | refl = 
let _\codlcw’ = G4 |code Fev34 in 
( tl ueu’@ , E-trans Ut2 (Se | codlcw’) }) 


Notes 


The denotational semantics presented in this chapter is an exam- 
ple of a filter model (H. Barendregt, Coppo, and Dezani- 
Ciancaglini (1983)). Filter models use type systems with intersec- 


tion types to precisely characterize runtime behavior (Coppo, 
Dezani-Ciancaglini, and Salle’ (1979)). The notation that we use 
in this chapter is not that of type systems and intersection types, 
but the Value data type is isomorphic to types (~ is >, Uis av, 
1 is T), the E relation is the inverse of subtyping <:, and the 
evaluation relation 9 / M J vis isomorphic to a type system. 
Write I instead of 9, Ainstead of v, and replace | with : and 
one has a typing judgement Tr - M : A. By varying the defini- 
tion of subtyping and using different choices of type atoms, inter- 
section type systems provide semantics for many different un- 
typed A calculi, from full beta to the lazy and call-by-value cal- 
culi (Alessi, Barbanera, and Dezani-Ciancaglini (2006)) (Ronchi 
Della Rocca and Paolini (2004)). The denotational semantics in 
this chapter corresponds to the BCD system (H. Barendregt, 
Coppo, and Dezani-Ciancaglini (1983)). Part 3 of the book 
Lambda Calculus with Types describes a framework for intersec- 
tion type systems that enables results similar to the ones in this 
chapter, but for the entire family of intersection type systems (H. 
Barendregt, Dekkers, and Statman (2013)). 


The two ideas of using finite tables to represent functions and of 
relaxing table lookup to enable self application first appeared in 
a technical report by Plotkin (1972) and are later described in an 
article in Theoretical Computer Science (Plotkin (1993)). In that 
work, the inductive definition of Value is a bit different than 
the one we use: 


Value = C + fOf (Value) x @f (Value) 


where C is a set of constants and ~of means finite powerset. The 
pairs in ff(Value) x 9f(Value) represent input-output 
mappings, just as in this chapter. The finite powersets are used to 
enable a function table to appear in the input and in the output. 
These differences amount to changing where the recursion ap- 
pears in the definition of Value. Plotkin’s model is an example 
of a graph model of the untyped lambda calculus (H. P. Baren- 
dregt (1984)). In a graph model, the semantics is presented as a 
function from programs and environments to (possibly infinite) 
sets of values. The semantics in this chapter is instead defined as 
a relation, but set-valued functions are isomorphic to relations. 


Indeed, we present the semantics as a function in the next chap- 
ter and prove that it is equivalent to the relational version. 


The (0(w) model of Scott (1976) and the B(A) model of Engeler 
(1981) are two more examples of graph models. Both use the fol- 
lowing inductive definition of Value. 


Value = C + fOf (Value) x Value 


The use of Value instead of (Of (Value) in the output does 
not restrict expressiveness compared to Plotkin’s model because 
the semantics use sets of values and a pair of sets (V, V’) can 
be represented as a set of pairs { (V, v’) | v’ e© Vv’ }.In 
Scott’s (9(w), the above values are mapped to and from the natu- 
ral numbers using a kind of Godel encoding. 


Unicode 


This chapter uses the following unicode: 


+t U+22A5 UP TACK (\bot) 

>  U+21A6 RIGHTWARDS ARROW FROM BAR (\mapsto) 

Uo = U+2294 SQUARE CUP (\lub) 

Cc U+2291 SQUARE IMAGE OF OR EQUAL TO 
(\sqsubseteq) 

L| U+2A06 N-ARY SQUARE UNION OPERATOR (\Lub) 

fF U+22A2 RIGHT TACK (\|- or \vdash) 

4 U+2193 DOWNWARDS ARROW (\d) 

© U+1D9C MODIFIER LETTER SMALL C (\%c) 

&€ U+2130 SCRIPT CAPITAL E (\McE) 

= U+2243 ASYMPTOTICALLY EQUAL TO (\~- or 
\simeq) 

© U+2208 ELEMENT OF (\in) 

Cc U+2286 SUBSET OF OR EQUAL TO (\sub= or 
\subseteq) 


References 


Compositional: The denotational seman- 
tics is compositional 


module plfa.part3.Compositional where 


Introduction 


In this chapter we prove that the denotational semantics is com- 
positional, which means we fill in the ellipses in the following 
equations. 


€ ( x) =... 
€ (AM) =... @M... 
€ (M+ N) =... @M... EN 


Such equations would imply that the denotational semantics 
could be instead defined as a recursive function. Indeed, we end 
this chapter with such a definition and prove that it is equivalent 
to é. 


Imports 


open import Data.Product using (_x ; 2; X-syntax; 4; d-syntax; proji 
renaming (_, to (_, _)) 


open import Data.Sum using ( WU ; inji; injz) 


open import Data.Unit using (T; tt) 
open import plfa.part2.Untyped 


using (Context; ,; *} 3; kK; ;%; _'_) 
open import plfa.part3.Denotational 
using (Value; » ; ~, ; U; 14; FE; Fa; 


C-bot; &-fun; ©-conj-L; ©-conj-R1; ©-conj-R2; 
C-dist; E-refl; &-trans; LbLU-dist; 

var; »-intro; »-elim; L-intro; 1-intro; sub; 
up-env; &; = ; =-sym; Denotation; Env) 


open plfa.part3.Denotational.=-Reasoning 


Equation for lambda abstraction 


Regarding the first equation 
€ (AM) =... €M 


we need to define a function that maps a Denotation (I , 
*) to a Denotation I. This function, let us name it F, 
should mimic the non-recursive part of the semantics when ap- 
plied to a lambda term. In particular, we need to consider the 
rules ~-intro, L-intro, and U-intro. So ¥ has three pa- 
rameters, the denotation D of the subterm M, an environment y, 
anda value v. If we define ¥ by recursion on the value v, then 
it matches up nicely with the three rules ~-intro, l-intro, 
and U-intro. 


F : W{T} > Denotation ([ , *) ~ Denotation 
FDyY (vew) =D (y*, v) w 

FDYL=T 

FDy (uulbv) = (FDvyu) x (FDy v) 


If one squints hard enough, the ¥ function starts to look like the 
curry operation familiar to functional programmers. It turns a 
function that expects a tuple of length n + 1 (the environment 
Tr, %*) into a function that expects a tuple of length n and re- 
turns a function of one parameter. 


Using this ¥, we hope to prove that 
€ (AN) = & (€N) 


The function ¥ is preserved when going from a larger value v 
to a smaller value u. The proof is a straightforward induction on 
the derivation of u © v, using the up—env lemma in the case 
for the E-fun rule. 


sub-¥% : VW{T}{N: FT , * F «}{y v u} 
~- F(EN) VV 


(c-fun lt lt’) = sub (up-env d lt) lt’ 

(c-conj-L lt lti) = ( sub-#¥d lt , sub-Fd lti ) 

(C-conj-R1 lt) = sub-¥% (proji d) lt 

(C-conj-R2 lt) = sub-¥% (proj2 d) lt 

sub-¥ {v = v1 & V2 LU Vi & V3} {V1 & (V2 LU v3)} ( N2 , NB ) E-dist = 
Li-intro N2 N3 

sub-¥ d (€-trans x1 x2) = sub-¥Y (sub-¥d x2) x1 


With this subsumption property in hand, we can prove the for- 
ward direction of the semantic equation for lambda. The proof is 
by induction on the semantics, using sub-¥ in the case for the 
sub rule. 


EX-FE : V{T}{y : Env F}{N : F , *« FE x}{v : Value} 
~ € (KN) yv 
~ F(EN) YV 
EX-FE (w-intro d) =d 
€X-FE L-intro = tt 
€X-FE (U-intro di dz) = ( &KFE di , EX-FE dz ) 
EX-FE (sub d lt) = sub-F (FE d) it 


The “inversion lemma” for lambda abstraction is a special case of 
the above. The inversion lemma is useful in proving that denota- 
tions are preserved by reduction. 


lambda-inversion : V{T}{y : Env F}{N: 7 , * F x}{vi v2 : Value} 
>VFANI Vi» v2 


> (y °, Vi) EN 4 v2 
Lambda-inversion{vi = va}{vz2 = v2} d = &i-%E{v = vi & v2} d 


The backward direction of the semantic equation for lambda is 
even easier to prove than the forward direction. We proceed by 
induction on the value v. 


GEEK : VW }{y : Env F}{N : F , « F x}{v : Value} 
~ F(EN) YV 


= 1} d = L-intro 
FEEK {V = V1 & V2} d = »-intro 
SEEK {v = V1 U v2} ( dl , d2 ) 


[oe 


U-intro (F&EK d1) (F&E d2) 


So indeed, the denotational semantics is compositional with re- 
spect to lambda abstraction, as witnessed by the function F. 


lam-equiv : V{T}{N: 1 , « F x} 
> &€ (XN) = F (EN) 
lam-equiv y v = ( &K+FE , GEER ) 


Equation for function application 


Next we fill in the ellipses for the equation concerning function 
application. 


€ (M+N) =... @M... EN 


For this we need to define a function that takes two denotations, 
both in context IT, and produces another one in context I. This 
function, let us name it @, needs to mimic the non-recursive as- 
pects of the semantics of an application L - M. We cannot pro- 
ceed as easily as for ¥ and define the function by recursion on 
value v because, for example, the rule ~-elim applies to any 
value. Instead we shall define @ in a way that directly deals 
with the *-elim and 1-intro rules but ignores U-intro. 
This makes the forward direction of the proof more difficult, and 
the case for U-int ro demonstrates why the E-dist rule is im- 
portant. 


So we define the application of Di to D2, written Di @ Dz, to 
include any value w equivalent to 1, for the .-intro rule, 
and to include any value w that is the output of anentry v - w 
in Dy, provided the input v isin D2, forthe ~-elimrule. 


infixl 7 _@ 


e : V{l} += Denotation TF = Denotation [ = Denotation F 


(Di @e D2) yw=wElv 2 v€ Value ]( Di y (Ve w) x D2 yv ) 


If one squints hard enough, the _@_ operator starts to look like 
the apply operation familiar to functional programmers. It 
takes two parameters and applies the first to the second. 


Next we consider the inversion lemma for application, which is 


also the forward direction of the semantic equation for applica- 
tion. We describe the proof below. 


&-@€ : V{iF}{y : Env T}{LM: PF + «}{v : Value} 
2 &€(L:M)yv 
~(€éLeéM yv 
€:-@€ (»-elim{v = v’} di dz) = inj2 
&:-@€ {v = 1} L-intro = inji E-bot 
E:@€ {T}{y}{L}{M}{v} (uU-intro{v = 
with &-eé di | &:-eé dz 
.-. | inji Ut1 | inji 1t2 = inji (€-conj-L ltl 1t2) 
| inji Utl | inj2 ( vi’ , ( Livl2 , Miv3 ) ) = 
inj2 ( vi’ , ( sub Livl2 lt , Miv3 ) ) 


( v’, ( di , dz) ) 
vi}i{w = V2} di dz) 


, 


Muv 


where lt : vi’ » (vi U v2) Evi’ & v2 
lt = (€-fun €-refl (€-conj-L (€-trans ltl €-bot) &-refl) 
| inj2 ( vi’ , ( Lavl2 , Miv3 ) ) | inji 1t2 = 
inj2 ( vi’ , ( sub Livl2 lt , Miv3 ) ) 
where lt : vi’ &» (vi U v2) Evi’ »& vi 
lt = (€-fun €-refl (€-conj-L €-refl (€-trans lt2 C-bot)) 
| inj2 ( vi’ , ( Luv12 , Miv3 ) ) | ainje ( vi’’ , ( Luvi2’ 
let Luu = U-intro Liv12 Liv12’ in 


let Miu! = U-intro Miv3 Miv3’ in 
inj2 ( vi’ Uvi’’ , ( sub Lill Ubu-dist , Muu ) ) 
E@E {T}{yVH{L}{M}{v} (sub d lt) 
with &:-e€ d 
... | inji lt2 = inji (&-trans lt 1t2) 
| inj2 ( vi , ( Livl2 , Miv3 ) ) = 
inj2 ( vi , ( sub Livl2 (€-fun E-refl lt) , Miv3 ) ) 


We proceed by induction on the semantics. 


* In case ~-elim we have y F L i (v’ © v) and y 
- M | wv’, which is all we need to show (&€ L @ & M) 
yY v. 


* In case L-intro we have v = L. We conclude that v 
El. 


* In case U-intro we have € (L - M) y wiand & (L 
M) y v2 and need to show (€ L @€™M) y (wi Uu 
v2). By the induction hypothesis, we have (€ L @ & M) 
y viand (€ L @ & M) y v2. We have four subcases to 
consider. 


O 


@) 


Suppose vi © Land v2 © Ll. Then vi U v2 © 
i, 


Suppose v1 E 1, yF Ls wi’ © v2,and y F 
M J vi'.Wehave yFLw wi!’ © (v1 U va) 
by rule sub because vi’ © (vi U v2) E wi’ & 
V2. 


Suppose y F LJ wi’ * vi, y EFM I vi’, and 
v2 © 1.Wehave yF Ls vi’ © (vi U v2) by 
rule sub because v1' © (v1 U v2) E wt’ & 
V1. 


Suppose yF Livwi''’ @ vi, YVEMS wi''’—= 
yEFLdiwv' © vea,and y FM 1! vi’. This case 
is the most interesting. By two uses of the rule U- 
intro we have y FL! (v1' * v2) U (w1'! 
+ v1) andy FM ts (w1’ U vi'’). But this does 
not yet match what we need for € L @ & M be- 
cause the result of L must be an + whose input en- 
try is vi’ U vi’'. So we use the sub rule to ob- 
tain y F Ls (va’ U wi''’) © (v1 LU va), us- 
ing the U-U-dist lemma (thanks to the E-dist 
rule) to show that 


(vi'’ Uvi'’'’) © (va U ve) © (v1! © va) 
U (wi’’ © v1) 


So we have proved what is needed for this case. 


* Incase sub wehave TF L - MJ viand v € vi. By 
the induction hypothesis, we have (€ L @ & M) y v1. 
We have two subcases to consider. 


O 
O 


Suppose vi © Ll. Weconclude that v © L. 
Suppose TF Liv’ +> wand TEM 4s Vv’. 
We conclude with TF L J v’ > vbyrule sub, 
because v’ > v Ev’ => vi. 


The forward direction is proved by cases on the premise (é L 
y v. Incase v © 1, weobtain TF L- Mis Lby 


@&é&™M) 


rule L-intro. Otherwise, we conclude immediately by rule ~- 
elim. 


ecé : ViIT}{y : Env F}{L M: T + x}{v} 
~(€éLeéM yv 


2 &€(L:*M)yv 
emé {y}{v} (inji lt) = sub L-intro lt 
emé {y}{v} (inje ( vi , ( dl , d2 ) )) =#-elim dl d2 


So we have proved that the semantics is compositional with re- 
spect to function application, as witnessed by the @ function. 


app-equiv : V{T}{L M:T F x} 
> &(L + M) = (@L) @ (éM) 
app-equiv y v = ( &:-e€ , e&m&: ) 


We also need an inversion lemma for variables. If T F x J v, 
then v © y x. The proof is a straightforward induction on the 
semantics. 


var-inv : V {f v x} {y : Env T} 
) 


~€(° x) yv 
>vEyx 
var-inv (var) = E-refl 
var-inv (U-intro di dz) = €-conj-L (var-inv di) (var-inv d2) 
var-inv (sub d lt) = E-trans lt (var-inv d) 
var-inv L-intro = E-bot 


To round-out the semantic equations, we establish the following 
one for variables. 


var-equiv : V{T}{x :F 3 *} 7 @€ (> x)= (AYvovey x) 
var-equiv y v = ( var-inv , (A lt = sub var lt) ) 


Congruence 


The main work of this chapter is complete: we have established 
semantic equations that show how the denotational semantics is 
compositional. In this section and the next we make use of these 


equations to prove some corollaries: that denotational equality is 
a congruence and to prove the compositionality property, which 
states that surrounding two denotationally-equal terms in the 
same context produces two programs that are denotationally 
equal. 


We begin by showing that denotational equality is a congruence 
with respect to lambda abstraction: that € N = & N' implies & 
(A N) = & (A N’). We shall use the lam-equiv equation to 
reduce this question to whether ¥ is a congruence. 


F-cong : V{T}{D D’ : Denotation (T , «)} 


~>D=D 
~ FVD= FD’ 
F-cong{l} D=D’ y v = 


( (Ax = Prane x D=D’) , (A x > #f{y}{v} x (=-sym D=D’)) ) 
where 
F= : Vly : Env T}{v}{D D’ : Denotation (T , «x)} 

- FVvV - D= “a - FD vv 
F= {v = 1} fd dd’ = 
F= {y}{v » w} fd ct 
F= {y}{u U w} fd dd’ 


ek: (dd’ (y °, v) w) fd 
( F{y}{u} (proji fd) dd’ , A{y}{w} (proj 


The proof of ¥-cong uses the lemma ¥= to handle both direc- 
tions of the if-and-only-if. That lemma is proved by a straightfor- 
ward induction on the value v. 


We now prove that lambda abstraction is a congruence by direct 
equational reasoning. 


lam-cong : V{T}{NN’ :T , * F x} 
> €N=éN’ 
> € (XN) = &€ (KN’) 
lam-cong {fF }{N}{N’} Ne&N’ = 
start 
& (KN) 
=( lam-equiv ) 
F (€N) 
=( %-cong NeN’ ) 
F(EN’) 
=( =-sym lam-equiv ) 


& (KN’) 


Next we prove that denotational equality is a congruence for ap- 
plication: that € L = & L' and € M = @€ M' imply @ (L 
M) = &€ (L’ + M'). The app-equiv equation reduces this to 
the question of whether the @ operator is a congruence. 


e-cong : V{l}{Di Di’ D2 D2’ : Denotation T} 
> Di = Di’ = D2 = D2’ 
~ (Di @e Dz) = (Di’ @ D2’) 
e-cong {[f} dl d2 yv=( (Ax>e@xdl1d2) , 
(A X > @ xX (=-sym dl) (=-sym d2)) ) 
where 
e : V{y : Env [}{v}{Di Di’ D2 D2’ : Denotation T} 
> (Di @ Dz) yv = Di = Di’ 3 D2 = D2’ 
> (Di’ @ D2’) y v 
@ (inji VEL) eqi eq2 = inji vel 
@ {y} {w} (inj2 ( v, ( Dvew , Dv ) )) eqi eq = 
injz (v, ( proji (eq: y (v » w)) Dvew , proji (eq2 y v) Dv ) ) 


Again, both directions of the if-and-only-if are proved via a 
lemma. This time the lemma is proved by cases on (Di @ Dz) 
Vv v. 


With the congruence of @, we can prove that application is a 
congruence by direct equational reasoning. 


app-cong : V{f}{L L’ MM’ : T + x} 
-~€L=zéELW’ 


> &(L «= M) = €(L’ : M’) 
app-cong {fF }{L}{L’}{M}{M’} L=L’ MsM’ = 
Start 
&é (L: M) 
=( app-equiv ) 
éLeéM 
=( @-cong L=L’ MEM’ ) 
éloeéM 
=( =-sym app-equiv } 
& (L’ : M’) 


Compositionality 


The compositionality property states that surrounding two terms 
that are denotationally equal in the same context produces two 
programs that are denotationally equal. To make this precise, we 
define what we mean by “context” and “surround”. 


A context is a program with one hole in it. The following data 
definition Ctx makes this idea explicit. We index the Ctx data 
type with two contexts for variables: one for the hole and one for 
terms that result from filling the hole. 


data Ctx : Context - Context - Set where 
ctx-hole : V{T} - Ctx FF 
ctx-lam : V{P A} > Ctx (F , *) (A, *) ~ Ctx (F , *) A 
ctx-app-L : V{f A} > Ctx AsArFx-->Ctxl A 
ctx-app-R : V{f A} >ArFx-Ctxl A> CtxT A 


The constructor ctx—hole represents the hole, and in this 
case the variable context for the hole is the same as the 
variable context for the term that results from filling the 
hole. 


The constructor ctx-—lam takes a Ctx and produces a 
larger one that adds a lambda abstraction at the top. The 
variable context of the hole stays the same, whereas we re- 
move one variable from the context of the resulting term 
because it is bound by this lambda abstraction. 


There are two constructions for application, ctx-app-L 
and ctx-app-R. The ctx-app-L is for when the hole is 
inside the left-hand term (the operator) and the later is 
when the hole is inside the right-hand term (the operand). 


The action of surrounding a term with a context is defined by the 
following plug function. It is defined by recursion on the con- 


text. 


plug : 


ViT}{A} - Ctx FASPF Re? AF& 


plug ctx-hole M=M 
plug (ctx-lam C) N= plug CN 


N) (plug CL) : N 
C) 


plug (ctx-app-L C 
L L + (plug C M) 


plug (ctx-app-R 


L 
M 


We are ready to state and prove the compositionality principle. 
Given two terms M and N that are denotationally equal, plug- 
ging them both into an arbitrary context C produces two pro- 
grams that are denotationally equal. 


compositionality : V{T A}{C : Ctx F A} {MN: TF x} 
-~ €M=€EN 
> & (plug C M) = & (plug C N) 
compositionality {C = ctx-hole} MeN = 
M=N 
compositionality {C = ctx-lam C’} MeN 
lam-cong (compositionality {C = C’} 
compositionality {C = ctx-app-L C’ L} 
app-cong (compositionality {C = C’} 
compositionality {C = ctx-app-R L C’} 
app-cong (Ayv->( (Ax->x), 


a < gee  || 


Lrrern 


aaa2a 


The proof is a straightforward induction on the context C, using 
the congruence properties lam-cong and app-cong that we 
established above. 


The denotational semantics defined as a function 


Having established the three equations var-equiv, lam- 
equiv, and app-equiv, one should be able to define the deno- 
tational semantics as a recursive function over the input term M. 
Indeed, we define the following function [| M ] that maps terms 
to denotations, using the auxiliary curry ¥ and apply @ func- 
tions in the cases for lambda and application, respectively. 


+t x) ~ Denotation [ 
x 


The proof that & M is denotationally equal to [| M ] is a 
straightforward induction, using the three equations var- 
equiv, lam-equiv, and app-equiv together with the con- 


x) )) (compositionality 


gruence lemmas for ¥ and @. 


&O] : Vv {} {M: PF ex} - &€M=EM J 
&[] {[} {° x} = var-equiv 
&([] {0} {X N} = 
let ih = &[] {M = N} in 
& (KN) 
=( lam-equiv ) 
F (EéN) 
=( ¥cong (é&[] {M 
FUN J 
=() 
[ AN ] 


N}) ) 


&([] {1} {L - M} = 

&é (L: M) 

=( app-equiv ) 
éLeéM 

={ e-cong (é&[] {M =L}) (&[] {M = M}) ) 
[LJe[M] 

=() 

[L:-M] 


Unicode 


This chapter uses the following unicode: 


AF U+2131 SCRIPT CAPITAL F (\McF) 
@ vU+2131 BLACK CIRCLE (\cib) 


First, we need a variant of a lemma given earlier.The proof is 
then as follows. 


Soundness: Soundness of reduction with 
respect to denotational semantics 


module plfa.part3.Soundness where 


Introduction 


In this chapter we prove that the reduction semantics is sound 
with respect to the denotational semantics, i.e., for any term L 


L—~ AN implies € L= €& (A N) 


The proof is by induction on the reduction sequence, so the main 
lemma concerns a single reduction step. We prove that if any 
term M steps to a term N, then M and N are denotationally 
equal. We shall prove each direction of this if-and-only-if sepa- 
rately. One direction will look just like a type preservation proof. 
The other direction is like proving type preservation for reduc- 
tion going in reverse. Recall that type preservation is sometimes 
called subject reduction. Preservation in reverse is a well-known 
property and is called subject expansion. It is also well-known that 
subject expansion is false for most typed lambda calculi! 


Imports 


open import Relation.Binary.PropositionalEquality 
using (=; # ; refl; sym; cong; congz2; cong-app) 
open import Data.Product using (_x ; 2; X-syntax; 4; d-syntax; proji 
renaming (_,_ to (_,_)) 
open import Agda.Primitive using (lzero) 
open import Relation.Nullary using (-_) 
open import Relation.Nullary.Negation using (contradiction) 
open import Data.Empty using (1-elim) 
open import Relation.Nullary using (Dec; yes; no) 
open import Function using ( ° ) 


open import plfa.part2.Untyped 
using (Context; ,.; 3) ey a&: Z3 Sj 7p Ke 3 
subst; [ ]; subst-zero; ext; rename; exts; 
oe SiG Eas BEC) ae} es a) 
open import plfa.part2.Substitution using (Rename; Subst; ids) 
open import plfa.part3.Denotational 
using (Value; 1; Env; Fu; *,; £; “G3; “L; “ui; init; 1 
C-refl; €-trans; “G-refl; E-env; ©-env-conj-Rl; E-env-cc 
var; »-elim; »-intro; L-intro; U-intro; sub; 
rename-pres; &; = ; =-trans) 


open import plfa.part3.Compositional using (lambda-inversion; var-in 


Forward reduction preserves denotations 


The proof of preservation in this section mixes techniques from 
previous chapters. Like the proof of preservation for the STLC, 
we are preserving a relation defined separately from the syntax, 
in contrast to the intrinsically-typed terms. On the other hand, 
we are using de Bruijn indices for variables. 


The outline of the proof remains the same in that we must prove 
lemmas concerning all of the auxiliary functions used in the re- 
duction relation: substitution, renaming, and extension. 


Simultaneous substitution preserves denotations 


Our next goal is to prove that simultaneous substitution pre- 
serves meaning. That is, if M results in v in environment y, 
then applying a substitution o to M gives us a program that also 
results in v, but in an environment 6 in which, for every vari- 
able x, o x results in the same value as the one for x in the 
original environment y. We write 6 ~F o 4 y for this condi- 
tion. 


infix 3 “Fa 
“kt: V{A TT} > Env A = Subst F A = EnvT = Set 
“kit {AH} G60 y= (VW (x: F3%*) >6bF OX yx) 


As usual, to prepare for lambda abstraction, we prove an exten- 
sion lemma. It says that applying the exts function to a substi- 
tution produces a new substitution that maps variables to terms 


that when evaluated in 6 , v produce the valuesin y , v. 


subst-ext : V {f A v} {y : Env T} {6 : Env A} 
> (o : Subst T A) 
~6 Fouy 
>~6°*,v ‘Fextsolry,v 
subst-ext o d Z = var 
subst-ext o d (S x’) = rename-pres S (A _ > E-refl) (d x’) 


The proof is by cases on the de Bruijn index x. 


- Ifitis z, then we need to show that 6 , v F #01 v, 
which we have by rule var. 


- If it is S x’,then we need to show that 6 , v F 
rename S_ (o x’) + y x’, which we obtain by the 
rename-pres lemma. 


With the extension lemma in hand, the proof that simultaneous 
substitution preserves meaning is straightforward. Let’s dive in! 


subst-pres : V {f Av} {y : Env Tl} {6 : Env A} {M: TF x} 
> (o : Subst T A) 


> 6+t substoMuv 
subst-pres o s (var {x = x}) =Ss x 
subst-pres o S (»-elim di d2) = 

»-elim (subst-pres o s di) (Subst-pres o § dz) 
subst-pres o § (v-intro d) = 

»-intro (subst-pres (A {A} > exts o) (subst-ext o s) d) 
subst-pres o s 1-intro = L-intro 
subst-pres o s (L-intro di dz) = 

U-intro (subst-pres o s di) (subst-pres o §s dz) 
subst-pres o s (sub d lt) = sub (subst-pres o s d) lt 


The proof is by induction on the semantics of M. The two inter- 
esting cases are for variables and lambda abstractions. 


* For a variable x, we have that v = y x and we need to 
show that 6 F o x J v. From the premise applied to x, 


we have that 6 Fo x | y xaka 6 Fox v. 


¢ For a lambda abstraction, we must extend the substitution 
for the induction hypothesis. We apply the subst-ext 
lemma to show that the extended substitution maps vari- 
ables to terms that result in the appropriate values. 


Single substitution preserves denotations 


For B reduction, (A N) - M—+ N [ M ], we need to show 
that the semantics is preserved when substituting M for de Bruijn 
index 0 in term N. By inversion on the rules ~-elim and »- 
intro, we have that y , v F M4! wand y FN J v.So 
we need to show that y F M [ N ] 4 w, or equivalently, that 
y F subst (subst-zero N) MJ w. 


substitution : V {[} {fy : Env FT} {NM v w} 
>vy-,vENuUWwW 


>yFEN[M]uw 
substitution{l }{y}{N}{M}{v}{w} dn dm = 
subst-pres (subst-zero M) sub-z-ok dn 


where 

sub-z-ok : y “+ subst-zero Mz (y ~, v) 
sub-z-ok Z = dm 

sub-z-ok (S x) = var 


This result is a corollary of the lemma for simultaneous substitu- 
tion. To use the lemma, we just need to show that subst-zero 
M maps variables to terms that produces the same values as those 
in y , v.Let y bean arbitrary variable (de Bruijn index). 


-Ifitis Z,then (subst-zero M) y = Mand (y , v) 
y = v. By the premise we conclude that y F M 4 v. 


-Ifitis S x, then (subst-zero M) (S x) = xand (y 
, v) (S x) = y x. So weconclude that y F x 1 vy 
x by rule var. 


Reduction preserves denotations 


With the substitution lemma in hand, it is straightforward to 
prove that reduction preserves denotations. 


preserve : V {f} {y : Env T} {MN v} 


-yVyFMuv 

-~M—N 

-vyFNuv 
preserve (var) () 
preserve (»-elim di dz) (&1 r) = »-elim (preserve di r) d2 
preserve (»-elim di dz) (&2 = »-elim di (preserve dz r) 
preserve (v»-elim di dz) B = eee pe (lambda-inversion di) d2 
preserve (»-intro d) (¢ r) = »-intro (preserve d r) 
preserve L-intro r = L-intro 
preserve (U-intro d di) r = U-intro (preserve dr) (preserve di r) 
preserve (sub d lt) r = sub (preserve dr) lt 


We proceed by induction on the semantics of M with case analy- 
sis on the reduction. 


* If Mis a variable, then there is no such reduction. 


* If M is an application, then the reduction is either a con- 
gruence (€, or €,) or B. For each congruence, we use the in- 
duction hypothesis. For B reduction we use the substitution 
lemma and the sub rule. 


* The rest of the cases are straightforward. 
Reduction reflects denotations 


This section proves that reduction reflects the denotation of a 
term. That is, if N results in v, and if M reduces to N, then M 
also results in v. While there are some broad similarities be- 
tween this proof and the above proof of semantic preservation, 
we shall require a few more technical lemmas to obtain this re- 
sult. 


The main challenge is dealing with the substitution in B reduc- 
tion: 


(AN) -M—>N[M ] 


We have that y | N [ M ] | v and need to show that y F 
(A N) + M J v. Now consider the derivation of y F N [ M 
] 4 v. The term M may occur 0, 1, or many times inside N [ 
M j. At each of those occurrences, M may result in a different 
value. But to build a derivation for (A N) - M, we need a sin- 
gle value for M. If M occurred more than 1 time, then we can 
join all of the different values using WU. If M occurred 0 times, 
then we do not need any information about M and can therefore 
use for the value of M. 


Renaming reflects meaning 
Previously we showed that renaming variables preserves mean- 


ing. Now we prove the opposite, that it reflects meaning. That is, 
if 6 -F rename pop M J v, then y | M J v, where (6 ° 


ext-°c : V {Ff Av} {y : Env TF} {6 : Env A} 
> (p : Rename T A) 
~ (6° p) Ey 
> ((6 ~, v) ° ext p) “E (y -, v) 

ext-°£ p lt Z = £-refl 

ext--E p lt (S x) = lt x 


rename-reflect : V {f Av} {y : Env FT} {6 : Env A} {M: TF x} 

> {p : Rename T A} 

~ (6° p) Ey 

> 6+ rename pMiv 

-VFMuv 
rename-reflect {M = * x} all-n d with var-inv d 
... | lt = sub var (€-trans 1t (all-n x)) 
rename-reflect {M = X N}{p = p} all-n (#-intro d) = 

»-intro (rename-reflect (ext-°£ p all-n) d) 
rename-reflect {M = X N} all-n L-intro = L-intro 
rename-reflect {M = X N} all-n (U-intro di dz) = 

Li-intro (rename-reflect all-n di) (rename-reflect all-n dz) 
rename-reflect {M = X N} all-n (sub di 1t) = 

sub (rename-reflect all-n di) lt 
rename-reflect {M =L : M} all-n (»-elim di dz) = 

»-elim (rename-reflect all-n di) (rename-reflect all-n dz) 
rename-reflect {M = L : M} all-n L-intro = L-intro 


rename-reflect {M =L : M} all-n (L-intro di dz) = 

Li-intro (rename-reflect all-n di) (rename-reflect all-n dz) 
rename-reflect {M = L : M} all-n (sub di lt) = 

sub (rename-reflect all-n di) lt 


We cannot prove this lemma by induction on the derivation of 6 
F rename p M J v, so instead we proceed by induction on M. 


* If it is a variable, we apply the inversion lemma to obtain 
that v © 6 (p x). Instantiating the premise to x we 
have 6 (pe x) © y x,so weconclude by the var rule. 


If it is a lambda abstraction A N, we have rename p (A 
N) = A (rename (ext e) N). We proceed by cases on 
6 FA (rename (ext p) N) J v. 


© Rule ~-intro: To satisfy the premise of the induc- 
tion hypothesis, we prove that the renaming can be 
extended to be a mapping from y , vto 6 , v. 


© Rule L-intro: We simply apply -L-intro. 


© Rule U-intro: We apply the induction hypotheses 
and U-intro. 


© Rule sub: We apply the induction hypothesis and 
sub. 


If it is an application L - M,wehave rename p (L 
M) = (rename p L) - (rename p M). We proceed by 
caseson 6 F (rename p L) +: (rename p M) J v 
and all the cases are straightforward. 


In the upcoming uses of rename-reflect, the renaming will 
always be the increment function. So we prove a corollary for 
that special case. 


rename-inc-reflect : V {f v’ v} {fy : EnvT} {M: TF x} 
> (y *, v’) Frename S Miu v 
-VyVFMuv 

rename-inc-reflect d = rename-reflect “E-refl d 


Substitution reflects denotations, the variable case 


We are almost ready to begin proving that simultaneous substitu- 
tion reflects denotations. That is, if y F (subst o M) J v, 
then y F o k | 6 kand 6 - M J v for any k and some 
6. We shall start with the case in which Misa variable x. So in- 
stead the premise is y F o x | v and we need to show that 6 
F * x 4 v forsome 6. The 6 that we choose shall be the en- 
vironment that maps x to v and every other variable to L. 


Next we define the environment that maps x to v and every 
other variable to L, that is const-env x v. To tell variables 
apart, we define the following function for deciding equality of 
variables. 


var=_: V {fT} = (x y : F 3 x) = Dec (x = y) 


Z var£ Z = yes refl 
Z var (S_) = no A() 
(S _) var= Z = no A() 
(S x) var+ (S y) with x var2 y 
sith | yes refl = yes refl 
| no neq = no Af{refl > neq refl} 


var=-refl : V {7} (x : 7 3 *) > (x var# x) = yes refl 
var=-refl Z = refl 
var=-refl (S x) rewrite var4+-refl x = refl 


Now we use var to define const-env. 


const-env : V{T} > (x : F 3 *) > Value - Env TF 
const-env x v y with x var= y 
| yes _ 
| no _ 


Vv 
al 


Of course, const-env x vmaps x tovalue v 


same-const-env : V{F} {x : F 3 «} {v} ~ (const-env x v) x =v 
same-const-env {x = x} rewrite var+-refl x = refl 


and const-env x vmaps yto 1, so long asx#¥y. 


diff-const-env : V{T} {x y : T 3 «} {v} 
>x#y 
> const-env Xx VY =L 
diff-const-env {[} {x} {y} neq with x var= y 
| yes eq = L-elim (neq eq) 
| no _ refl 


So we choose const-env x v for 6 and obtain 6 F- x 4 
v with the var rule. 


It remains to prove that y ~F o | Sand 6 | M J v for any 
k, given that we have chosen const-env x v for 6. We shall 
have two cases to consider, x = yor x # y. 


Now to finish the two cases of the proof. 


* In the case where x = y, we need to show that y F o 
y + v, but that’s just our premise. 

¢ In the case where x # y, we need to show that y F o 
y + -L, which we do viarule L-intro. 


Thus, we have completed the variable case of the proof that si- 
multaneous substitution reflects denotations. Here is the proof 
again, formally. 


subst-reflect-var : V {Ff A} {y : Env A} {x : F 5 x} {v} fo: 
>VFOXIV 
> 2[ 6€EnvF Jy tot6 x 6F* xv 
subst-reflect-var {[}{A}{y}{x}{v}{o} xv 
rewrite sym (same-const-env {f}{x}{v}) = 
{ const-env x v , ( const-env-ok , var ) ) 
where 
const-env-ok : y “~- o 4 const-env x v 
const-env-ok y with x var= y 
| yes x=y rewrite sym x=y | same-const-env {f}{x}{v} = 


Subst [ 


XV 


| no x#y rewrite diff-const-env {[}{x}{y}{v} x#y = 1-intro 


Substitutions and environment construction 


Every substitution produces terms that can evaluate to L. 


subst-L : V{F A}{y : Env A}{o : Subst T A} 


>Y FOL CL 
subst-1 x = L-intro 


If a substitution produces terms that evaluate to the values in 
both yi and yz2, then those terms also evaluate to the values in 
yi U yo. 


subst-U : V{T A}{y : Env A}{yi y2 : Env F}{o : Subst T A} 


>Vy ‘Fo? (y1 “U yz) 
subst-Ll y1-0k y2-ok x = Ll-intro (y1-ok x) (y2-ok x) 


The Lambda constructor is injective 


lambda-inj : V {fT} {MN:F ,x«bk x } 
> = {A=T + x} (KM) (XN) 


-MeEN 
lambda-inj refl = refl 


Simultaneous substitution reflects denotations 


In this section we prove a central lemma, that substitution re- 
flects denotations. That is, if y F subst o M | v,then 6 F 
Mt vand y *F o | 6 for some 6. We shall proceed by in- 
duction on the derivation of y F subst o M | v. This re- 
quires a minor restatement of the lemma, changing the premise 
to y F L i vand L = subst o M. 


> (init 6°, last 6) FMuv 
split {5 = 6} 6Mv rewrite init-last 6 = 6Mv 


subst-reflect : V {f A} {6 : Env A} {M: TF - x} {v} {L : AE x} {o: 


~6FLuv 


> subst oMEL 


> XL y€Envr ] 6 tory x yrEMuv 


subst-reflect {M = M}{o = o} (var {x = y}) eql with M 
| ~ x with var {x = y} 


| yy rewrite sym eql = subst-reflect-var {o = o} yv 
subst-reflect {M = M} (var {x = y}) () | Ma + Me 
subst-reflect {M = M} (var {x = y}) () | AM 


subst-reflect {M = M}{o = o} (»-elim di dz) eqLl 
with M 
| © x with »-elim di dz 
aides | d’ rewrite sym eqL = subst-reflect-var {o = o} d’ 
subst-reflect (»-elim di d2) () | AM 
subst-reflect{l}{A}{y}{o = o} (»-elim di dz) 
refl | Mi - M2 
with subst-reflect {M = Mi} di refl | subst-reflect {M = M2} dz 
| ( 61 , ( subst-61 , ml ) ) | ( 62 , ( Subst-62 , m2) ) = 
( 61 “U 62 , ( subst-U {yi = 61}{y2 = 62}{o = o} subst-61 subst 
»-elim (E-env ml (€-env-conj-Rl 61 62)) 
(C-env m2 (€-env-conj-R2 61 62)) ) ) 


subst-reflect {M = M}{o = o} (»-intro d) eqlL with M 
| © X with (»-intro d) 
won | d’ rewrite sym eqL = subst-reflect-var {o = o} d’ 
subst-reflect {o = o} (»-intro d) eq | X M’ 
with subst-reflect {o = exts o} d (lambda-inj eq) 
| ( 6’ , ( exts-o-6’ , m’ ) ) = 
( init 6° , ( ((A x = rename-inc-reflect (exts-o-6’ (S x)))) , 
»-intro (up-env (split m’) (var-inv (exts-o-6’ Z))) ) ) 

subst-reflect (»-intro d) () | Mz - Me 


subst-reflect {o = o} L-intro eq = 
( “L , ( subst-L {o = o} , L-intro ) ) 


subst-reflect {o = o} (U-intro di dz) e 
with subst-reflect {o = o} di eq | subst-reflect {o = o} d2 eq 
| ( 61 , ( Subst-61 , ml ) ) | ( 62 , ( Subst-62 , m2) ) = 
( 61 “U 62 , ( subst-U {yi = 61}{y2 = 62}{o = o} subst-61 subst 
U-intro (E-env ml (E-env-conj-R1 6:1 62)) 
(C-env m2 (€-env-conj-R2 61 62)) ) ) 
subst-reflect (sub d lt) eq 
with subst-reflect d eq 
| ( 6 , ( subst-6 , m) ) = ( 6, ( Subst-6 , sub m lt ) ) 


* Case var: We have subst o M = y,so M must also bea 


variable, say x. We apply the lemma subst-reflect- 
var to conclude. 


* Case 


—elim: We have subst o M = Ii - Lz. We 


proceed by cases on sM. 


© 


‘@) 


* Case 


Case M = ~ x: We apply the subst-reflect- 
var lemma again to conclude. 


Case M = M, - Mo: By the induction hypothesis, we 
have some 6; and 62 such that 61 F M 4! wi’ 
v3 and y “Ff o J 61, as well as 62 - Me ! vi 
and y “FF o | 62. By E-env we have 61 U 62 
FM 4+ vi * vgand 6; U 62 F M2 J! vi (using 
EC-env-conj-Rl and [-env-conj-R2), and 
therefore 6; U 652 -F M - M2 | v3. We conclude 
this case by obtaining y ~F o | 61 U 6&2 by the 
subst—U lemma. 


-intro: We have subst o M = A L’. We pro- 


ceed by cases on M. 


O 


@) 


* Case 


Case M = x: We apply the subst-reflect-var 
lemma. 


Case M = A M’: By the induction hypothesis, we 
have (6’ , v') FM’ J vo2and (6, wi) FE 
exts o | (6' , wv’). From the later we have (6 
, vi) F # 0 4 v’'. By the lemma var-inv we 
have v’ © vi, so by the up-env lemma we have 
(S’ , v1) FM’ ¢§ voandtherefore 5’ F A M’ 
4 vi > v2. We also need to show that 6 F o J 6 
'. Fix k. We have (6 , wi) F rename S_ ok 
4 6 k’. We then apply the lemma rename-inc- 
reflect to obtain 6 F o k | & k’,so this case 
is complete. 


t-intro: We choose Ll for 6.Wehave L FM 4 


1 by l-intro. We have 6 *F o 4} ‘1 by the lemma 
subst-L. 


* Case U-intro: By the induction hypothesis we have 61 
-FMiwi, 62 FM v2,65 “Fo 1 61,and 6 “Fo 
1 52. We have 61 U 62 FM | vi and 6; U 62 FM 
4 v2 by E-env with E-env-conj-R1 and E-env- 
conj-R2. So by U-intro we have 6; U 62 FM! vi 
LU v2. By subst—U we conclude that 6 *F o | 6, U 
62. 


Single substitution reflects denotations 


Most of the work is now behind us. We have proved that simulta- 
neous substitution reflects denotations. Of course, B reduction 
uses single substitution, so we need a corollary that proves that 
single substitution reflects denotations. That is, given terms N 
(Tr, *&k & *®&)andM: (reF*),if y-N [TM] Uw, 
then y F M1 vand (vy, v) FN Jt wforsome value v. 
We have N [ M ] = subst (subst-zero M) N. 


We first prove a lemma about subst-zero, that if 6 F 
subst-zero M J y,then y “E (6, w) x 6 - M4 wfor 
some w. 


subst-zero-reflect : V {A} {6 : Env A} f{y : Env (A , «)} {M: AF x} 
> 6 “+ subst-zeroMs y 
> X[ w€ Value ] y “© (6°, w) x 65+ MuwWw 

subst-zero-reflect {6 = 5} {y = y} Boy = ( last y , ( lemma , 6oy Z 
where 
lemma : y “E (6 °, last y) 
lemma Z = C-refl 
lemma (S x) = var-inv (6oy (S x)) 


We choose w to be the last value in y and we obtain 6 F M | 
w by applying the premise to variable Z. Finally, to prove y “© 
(6 , w), we prove a lemma by induction in the input variable. 
The base case is trivial because of our choice of w. In the induc- 
tion case, S x, the premise 6 F subst-zero M | y gives us 
6 - x 4 y (S x) and then using var-inv we conclude that 
y (S x) E (6 *, w) (S x). 


Now to prove that substitution reflects denotations. 


substitution-reflect : V {A} {6 : Env A} {N: A, «x F- x} {M 
~6-EN[M]l]uv 
> X[we€Value ]6F+Miuw x (6*,w) ENV 
substitution-reflect d with subst-reflect d refl 
| ( y , ( Boy , yNv ) ) with subst-zero-reflect boy 


> AEF x} 


| (w, ( ineq , 6Mw ) ) = (w, ( 6M , C-env yNv ineq ) ) 


We apply the subst-reflect lemma to obtain 6 F subst- 
zero M 4 yand y F N |! v for some y. Using the former, 
the subst-zero-reflect lemma gives us y ~“E (6 , w) 
and 6 - M | w. Weconclude that 6 , w FN 4} v by apply- 
ing the E-env lemma, using y Fk N ! vand y “E (6 , 
Ww). 


Reduction reflects denotations 


Now that we have proved that substitution reflects denotations, 
we can easily prove that reduction does too. 


reflect-beta : V{T}{y : Env [}{M N}{v} 
>VF(N[M]) uv 
>yF(XN):-Muv 
reflect-beta d 
with substitution-reflect d 
wee | (v2, ( di’ , d2” ) ) = -elim (»-intro d2’) di’ 


reflect : V {f} {y : EnvT} {MM’ N v} 
->yFNiv>=~M—>M = M = 
->VFMuv 

reflect var (€1 r) () 

reflect var (&2 r) () 

reflect{y = y} (var{x 
with var{fy = y}{x 

... | d° rewrite sym mn = reflect-beta d’ 

reflect var (Cr) () 


reflect (»-elim di dz) (&1 r) refl = »-elim (reflect di r refl) dz 
reflect (»-elim di d2) (&2 r) refl = +-elim di (reflect d2 r refl) 
reflect (»-elim di dz) B mn 


with »-elim di d2 
... | d° rewrite sym mn = reflect-beta d’ 
reflect (»-elim di dz) (Cr) () 


reflect (»-intro d) (&1 
reflect (»-intro d) (&2 
reflect (»-intro d) B mn 
with »-intro d 
... | d° rewrite sym mn = reflect-beta d’ 
reflect (»-intro d) (€ r) refl =»-intro (reflect dr refl) 
reflect 1-intro r mn = 1-intro 
reflect (Li-intro di dz) r mn rewrite sym mn = 
U-intro (reflect di r refl) (reflect dz r refl) 
reflect (sub d lt) r mn = sub (reflect dr mn) Ut 


r) 
r) 


Reduction implies denotational equality 


We have proved that reduction both preserves and reflects deno- 
tations. Thus, reduction implies denotational equality. 


reduce-equal : V {Tf} {M: PF & «} {N: Fb x} 
~M—N 
- €M=é€EN 
reduce-equal {F}{M}{N} r y v = 
( (Am - preserve mr) , (An-reflect nr refl) ) 


We conclude with the soundness property, that multi-step reduc- 
tion to a lambda abstraction implies denotational equivalence 
with a lambda abstraction. 


soundness : Vif} {M: F FE x} {N: F , «FE x} 
>M—~»iN 
~ &€M= é (KN) 
soundness (.(X _) 8) yv=( (Axx) , (Ax = x) ) 
soundness {ff} (L —( r ) MeN) yv = 
let ih = soundness M—-N in 
let e = reduce-equal r in 
=-trans {[} e ihy v 


Unicode 


This chapter uses the following unicode: 


= U+225F QUESTIONED EQUAL TO (\?=) 


Adequacy: Adequacy of denotational se- 
mantics with respect to operational se- 
mantics 


module plfa.part3.Adequacy where 


Introduction 


Having proved a preservation property in the last chapter, a nat- 
ural next step would be to prove progress. That is, to prove a 
property of the form 


If y F M + v, then either M is a lambda 
abstraction or M — N for some N. 


Such a property would tell us that having a denotation implies 
either reduction to normal form or divergence. This is indeed 
true, but we can prove a much stronger property! In fact, having 
a denotation that is a function value (not -L) implies reduction 
to a lambda abstraction. 


This stronger property, reformulated a bit, is known as adequacy. 
That is, if a term M is denotationally equal to a lambda abstrac- 
tion, then M reduces to a lambda abstraction. 


€M=é (AN) implies M—~ A N' for some N' 


Recall that € M = & (A N) is equivalent to saying that y - M 
1 (v  w) for some v and w. We will show that y F M J 
(v  w) implies multi-step reduction a lambda abstraction. The 
recursive structure of the derivations for y F M | (v © w) 
are completely different from the structure of multi-step reduc- 
tions, so a direct proof would be challenging. However, The 
structure of y F M 4 (v » w) closer to that of BigStep call- 
by-name evaluation. Further, we already proved that big-step 


evaluation implies multi-step reduction to a lambda 
(cbn->reduce). So we shall prove that y FH M | (v © w) im- 
plies that y' KF M J c, where c is a closure (a term paired 
with an environment), y' is an environment that maps variables 
to closures, and y and y' are appropriate related. The proof 
will be an induction on the derivation of y F M |! v, and to 
strengthen the induction hypothesis, we will relate semantic val- 
ues to closures using a logical relation V. 


The rest of this chapter is organized as follows. 


* To make the V relation down-closed with respect to ©, we 
must loosen the requirement that M result in a function 
value and instead require that M result in a value that is 
greater than or equal to a function value. We establish sev- 
eral properties about being “greater than a function”. 


We define the logical relation WV that relates values and 
closures, and extend it to a relation on terms E and envi- 
ronments G. We prove several lemmas that culminate in 
the property that if V v cand v’ E v,then V v’ c. 


We prove the main lemma, thatif G y y' and y FM 4 
v, then E v (clos M y'). 


* We prove adequacy as a corollary to the main lemma. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 


open Eq using (=; #; refl; trans; sym; cong; cong2; cong-app) 
open import Data.Product using (_x ; 2; X-syntax; 4; d-syntax; proji 
renaming (_, to (_, _)) 


open import Data.Sum 
open import Relation.Nullary using (-_) 
open import Relation.Nullary.Negation using (contradiction) 
open import Data.Empty using (1-elim) renaming (1 to Bot) 
open import Data.Unit 
open import Relation.Nullary using (Dec; yes; no) 
open import Function using ( ° ) 
open import plfa.part2.Untyped 

using (Context; Fj; *; 35359; ,;Z;S 3; ;% 3 +3 


rename; subst; ext; exts; [ ]; subst-zero; 
—»_; —(_) 3; _B; >; &1; &2; B; %) 
open import plfa.part2.Substitution using (ids; sub-id) 
open import plfa.part2.BigStep 
using (Clos; clos; ClosEnv; 2'; ,' ; F 4; 4-var; u-lam; 4-ar 
u-determ; cbn-reduce) 
open import plfa.part3.Denotational 
using (Value; Env; “@; °, ; »; £; Fuss; L; all-funs€; u 
var; »-elim; »-intro; U-intro; L-intro; sub; &; =; if 
c-trans; ©-conj-R1l; ©&-conj-R2; ©-conj-L; G-refl; ©-fun; 
C-dist; sub-inv-fun) 
open import plfa.part3.Soundness using (soundness) 


The property of being greater or equal to a function 


We define the following short-hand for saying that a value is 
greater-than or equal to a function value. 


above-fun : Value > Set 
above-fun u = 2[ v € Value ] 2[ w € Value ] ve weEu 


If a value u is greater than a function, then an even greater 
value u' is too. 


above-fun-& : V{u u' : Value} 
~ above-fun u > u E u' 
> above-fun u' 
above-fun-E (v,(w, lt' )) t=(v, (w, &-trans lt' lt ) ) 


The bottom value is not greater than a function. 


above-funl : — above-fun 1 
above-funl (v,(w, lt) ) 
with sub-inv-fun lt 
2) CR ¢ (tT » CTSt gC Utl yj. U2) >} 4 
with all-funseé f 
. | (A, (B,m) ) 
with Fel m 
oe LO 


If the join of two values u and u' is greater than a function, 


then at least one of them is too. 


above-fun-L! : V{u u'} 
~ above-fun (u LU u') 
> above-fun u W above-fun u' 
above-fun-Li{u}{u'} ( v_, ( w., vewEullu' ) ) 
with sub-inv-fun vewEuLlu' 

. | (PF, ¢ €, ( Fouuu' , ( ttl, 1t2))) ») 
with all-funsé f 
[4Ay CB sm} ] 
with Feuuu' m 
| inji x = inji ( 
| injz x inj 
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On the other hand, if neither of u and u' is greater than a func- 
tion, then their join is also not greater than a function. 


not-above-fun-Li : V{u u' : Value} 
~ 7 above-fun u > - above-fun u' 
> 7 above-fun (u U u') 
not-above-fun-U nafl naf2 af12 
with above-fun-U af12 
... | inji afl = contradiction afl nafl 
| injz af2 = contradiction af2 naf2 


The converse is also true. If the join of two values is not above a 
function, then neither of them is individually. 


not-above-fun-U-inv : V{u u' : Value} - - above-fun (u LU u') 
> -— above-fun u x - above-fun u' 
not-above-fun-U-inv af = ( f af , g af ) 
where 
f : V{u u' : Value} - - above-fun (u U u') = - above-fun u 
f{u}{u'} afl2 (v, (w, lt) )= 
contradiction ( v , ( w,, E-conj-R1 lt ) ) afl2 
g : V{u u' : Value} > - above-fun (u Ui u') = 7 above-fun u' 
g{u}{u'} afl2 (v,(w, lt) )= 
contradiction ( v , ( w,, &-conj-R2 lt ) ) afl2 


The property of being greater than a function value is decidable, 
as exhibited by the following function. 


above-fun? : (v : Value) > Dec (above-fun v) 


above-fun? 1 = no above-funl 

above-fun? (v » w) = yes (v, (w, E-refl ) ) 

above-fun? (u LU u') 
with above-fun? u | above-fun? u' 
| yes(v,(w,tlt))|_=yes(v,(w, (€-conj-Ri lt) ) 
|} no | yes {(v,(w, tt) )=yes (v, (w, (E&-conj-R2 lt) 
| no x | no y = no (not-above-fun-U x y) 


Relating values to closures 


Next we relate semantic values to closures. The relation V is for 
closures whose term is a lambda abstraction, i.e., in weak-head 
normal form (WHNF). The relation E is for any closure. Roughly 
speaking, E v c will hold if, when v is greater than a function 
value, c evaluates to a closure c' in WHNF and V v c'. Re- 
garding V v c, it will hold when c is in WHNF, and if visa 
function, the body of c evaluates according to v. 


V : Value - Clos = Set 
E : Value = Clos - Set 


We define V as a function from values and closures to Set and 
not as a data type because it is mutually recursive with E in a 
negative position (to the left of an implication). We first perform 
case analysis on the term in the closure. If the term is a variable 
or application, then V is false (Bot). If the term is a lambda ab- 
straction, we define V by recursion on the value, which we de- 
scribe below. 


V v (clos (*~ x1) y) = Bot 
V v (clos (M+ Mi) y) = Bot 
V Lt (clos (XM) y) =T 
V (ve w) (clos (XN) y) = 
(V{c : Clos} += E v c > above-fun w > X[ c' € Clos ] 
(y,'c)FNuct x Vwe') 
V (uu v) (clos (XN) y) = Vu (clos (AN) y) x Vv (clos (X N) y) 


¢ If the value is L, then the result is true (T). 


* If the value is a join (u U v), then the result is the pair 
(conjunction) of V is true for both u and v. 


* The important case is for a function value v ~ wand clo- 
sure clos (A N) y. Given any closure c such that E v 
c, if w is greater than a function, then N evaluates (with 
y extended with c) to some closure c' and we have V w 
c’. 


The definition of E is straightforward. If v is a greater than a 
function, then M evaluates to a closure related to v. 


E v (clos M y') = above-fun v > 2[ c€ Clos] yy’ F#MucxVve 


The proof of the main lemma is by inductionon y F M 4 v,so 
it goes underneath lambda abstractions and must therefore rea- 
son about open terms (terms with variables). So we must relate 
environments of semantic values to environments of closures. In 
the following, G relates y to y' if the corresponding values and 
closures are related by E. 


G : V{T} = Env FT - ClosEnv [ = Set 
G {ff} y y' = V{x : F 3 «} + E (y x) (y' x) 


G-2:Ge@' 


G-@ {()} 

G-ext : V{T}{y : Env T}{y' : ClosEnv [}{v c} 
-Gyy' -Evc-G (vy, v) (y' ,' c) 

G-ext {[} {vy} fy'} ge {Z} =e 

G-ext {T} {y} fy'} ge {S x} =g 


We need a few properties of the V and E relations. The first is 
that a closure in the V relation must be in weak-head normal 
form. We define WHNF has follows. 


data WHNF : V {f A} >[ F A = Set where 
KX :V {TF} {N: T , *« F x} 
> WHNF (X N) 


The proof goes by cases on the term in the closure. 


VoWHNF : V{P}{y : ClosEnv T}{M : FT F x}{v} 
> V v (clos M y) > WHNF M 


V-oWHNF {M = ~ x} {v} () 
V-WHNF {M = X N} {v} ve = ~_ 
V-WHNF {M =L + M} {v} () 


Next we have an introduction rule for V that mimics the L- 
intro rule. If both u and v are related to a closure c, then 
their join is too. 


Vu-intro : V{c u v} 
-Vucr-Vvec 


-~V(uuv)c 
Vu-intro {clos (~ x) y} () ve 
Vu-intro {clos (X N) y} uc vc = ( uc , ve ) 
Vu-intro {clos (L - M) y} () ve 


In a moment we prove that V is preserved when going from a 
greater value to a lesser value: if V v cand v' € vy, then V 
v' c. This property, named sub-V, is needed by the main 
lemma in the case for the sub rule. 


To prove sub-V, we in turn need the following property con- 
cerning values that are not greater than a function, that is, values 
that are equivalent to L. In such cases, V v (clos (A N) 
y') is trivially true. 


not-above-fun-V : V{v : Value}{f}{y' : ClosEnv F}{N: TF , * F x } 
~ -= above-fun v 
> Vv (clos (XN) y') 
not-above-fun-V {1} af = tt 
not-above-fun-V {v » v'} af = contradiction ( v , ( v' , E-refl ) ) 
not-above-fun-V {vi LI v2} af 
with not-above-fun-Li-inv af 
| ( afl , af2 ) = ( not-above-fun-V afl , not-above-fun-V af2 ) 


The proofs of sub-V and sub-E are intertwined. 


sub-V : V{c : Clos}{v v'} =->Vvc- 


vi'ieGv 
sub-E : V{c : Clos}{v v'} > Evce-vi Ev 


We prove sub-V by case analysis on the closure’s term, to dis- 


patch the cases for variables and application. We then proceed 
by induction on v' © v. We describe each case below. 


sub-V {clos (~ x) y} {v} () lt 
sub-V {clos (L - M) y} () lt 
sub-V {clos (X N) y} ve E-bot = tt 
sub-V {clos (X N) y} ve (E-conj-L ltl 1t2) = ( (sub-V vc 1t1) , sub. 
sub-V {clos (X N) y} ( wl , vv2 ) (&-conj-R1 lt) sub-V vvl1 lt 
sub-V {clos (X N) y} ( wl , vwv2 ) (E-conj-R2 lt) sub-V vv2 lt 
sub-V {clos (X N) y} ve (&-trans{v = v2} ltl 1t2) sub-V (sub-V vc 
sub-V {clos (X N) y} ve (E-fun ltl 1t2) evl sf 
with ve (sub-E evl 1t1) (above-fun-& sf 1t2) 
.-» | (ec, ( Nc, v4) )=(c, ( Ne , Sub-V v4 1t2 ) ) 
sub-V {clos (X N) y} {v»wUvew'} ( vew , vew' ) C-dist evlc sf 
with above-fun? w | above-fun? w' 
... | yes af2 | yes af3 
with vew evic af2 | vcw' evic af3 
| «( clos L 6, ( Lucz , W ) ) 
| ( cs , ( Lucs , W' ) ) rewrite u-determ Lics Lic2 with V-WHNI 
[t= 
( clos L 6, ( Lucz , ( Ww, W' ) ) ) 
sub-V {c} {ve wLUvew'} ( vew, vew' ) E-dist evic sf 
| yes af2 | no naf3 
with vew evic af2 
... | ( clos {f'} L yi , ( Luc2 , W ) ) 
with V3WHNF Vw 
... | A. {N=N'} = 
let W' = not-above-fun-V{w'}{T'}{yi}{N'} naf3 in 
{ clos (A N') yi , ( Luc2 , VU-intro Ww Wi' ) ) 
sub-V {c} {ve wLlvew'} ( vew , vew' ) E-dist evic sf 
| no naf2 | yes af3 
with vew' evlc af3 
| ( clos {F'} L yi , ( Luc3 , W'c ) ) 
with V-WHNF Vw'c 
... | A  {N=N'} = 
let We = not-above-fun-V{w}{l'}{yi}{N'} naf2 in 
{ clos (X N') yi , ( Luc3 , VU-intro Wwe Wi'c ) ) 
sub-V {c} {ve wLUvew'} ( vew , vew' ) E-dist evlc ( v' , ( w''! 
| no naf2 | no naf3 
with above-fun-U ( v' , ( w'' , lt) ) 
... | inji af2 = contradiction af2 naf2 
| injz af3 = contradiction af3 naf3 


* Case E-bot. We immediately have V L (clos (A N) 
Y)-. 


* Case E-conj-L. 


vi' Ev v2' Ev 


(7a? Ug") Boy 


The induction hypotheses gives us V vi' (clos (A N) 
y) and V v2" (clos (A N) y), which is all we need 
for this case. 


Case E-conj-R1. 


vi E v4 


v' E (wy U va) 


The induction hypothesis gives us V v' (clos (A N) 
Y)- 


Case E-conj-R2. 


v' E vo 


In 


v' (v1 U va) 


Again, the induction hypothesis gives us V v' (clos (A 
N) y). 


Case E-trans. 


The induction hypothesis for v2 © v gives us V vo 
(clos (A N) y). We apply the induction hypothesis for 
v' E v2 toconclude that V v' (clos (A N) y). 


Case E-dist. This case is the most difficult. We have 


V (ve w) (clos (AN) y) 
V (ve w') (clos (AN) y) 


and need to show that 


(v % (w Uw')) (clos (AN) y) 


Let c be an arbitrary closure such that E v c. Assume w 
LU w' is greater than a function. Unfortunately, this does 
not mean that both w and w' are above functions. But 
thanks to the lemma above-fun-U, we know that at 
least one of them is greater than a function. 


© Suppose both of them are greater than a function. 


Then we have y | N J clos L 6 and V w 
(clos L 6). We also have y F N J cs and V 
w' cg3. Because the big-step semantics is determinis- 


tic, we have cz = clos L 6. Also, from V w 
(clos L 6) we know that L = A N' for some 
N'. We conclude that V (w U w') (clos (A 
N') 6). 


Suppose one of them is greater than a function and 
the other is not: say above-fun wand 7 above- 
fun w'. Then from V (v © w) (clos (A N) 
y) we have y - N Y clos L v1 and V w 
(clos L yi). From this we have L = A N' for 
some N'. Meanwhile, from -= above-fun w' we 
have V w' (clos L yi). Weconclude that V (w 
Lw') (clos (A N') y1). 


The proof of sub-E is direct and explained below. 


sub-E {clos M y} {v} {v'} Ev v'ev fv' 
with Ev (above-fun-E fv' v'Ev) 


|< 
( 


c, { 
c, { 


Mic , W))= 
Muc , sub-V W v'ev ) ) 


From above-fun v' and v' E v we have above-fun v. 
Then with E v cweobtainaclosure csuchthat y /}MJc 
and V v c. We conclude with an application of sub-V with 


vi 


EC vtoshow V v' c. 


Programs with function denotation terminate via 


call-by-name 


The main lemma proves that if a term has a denotation that is 
above a function, then it terminates via call-by-name. More for- 
mally, if y HK Mt! vand Gy y',then E v (clos M y'). 
The proof is by induction on the derivation of y Fk M | v we 
discuss each case below. 


The following lemma, kth-x, is used in the case for the var rule. 


kth-x : V{f}{y' : ClosEnv [}{x :T 3 x} 
~ X[ A € Context ] X[ 6 €E ClosEnvA ] TT MEAF x ] 
y' x = clos M 6 
kth-x{y' = y'}{x = x} with y' x 
... | clos{ff =A} M6=(A,(6,(M, refl)) ) 


loE : V{T}{y : Env F}f{y' : ClosEnv F}{M : PF + x }{v} 
-Gyy' 7yrtMiv-eEv (clos My') 
toE {T} {vy} {y'} Gyy' (var{x = x}) fyx 
with kth-x{f}{y'}{x} | Gyy'{x = x} 
-[(4,(6, (MM , eq) ) ) | Gyy'x rewrite eq 
with Gyy'x fyx 
| (c , ( Misc , Vyx ) ) = 
( c , ( (t-var eg M'uc) , Vyx ) ) 
LoE {FT} {y} {y'} Gyy' (»-elim{L = L}{M = M}{v = vi}{w = v} di dz) fi 
with 1-E Gyy' di ( vi , ( v, E-refl ) ) 
. | ( clos L' 6, ( LuL' , Vviev ) ) 
with V-WHNF Vvirev 
. | X_ {N = N} 
with Vviev {clos M y'} (1-E Gyy' dz) fv 
. | (ct, ( Nuc' , W)) = 
( c' , ( u-app LuL' Nuc' , W ) ) 
LoE {7} {y} {y'} Gyy' (»-intro{N = N}{v = v}{w = w} d) fvew = 


{ clos (XN) y' , ( u-lam, E ) ) 
where E : {c : Clos} > E v c = above-fun w 
>X[ c' € Clos ] (y' ,' c)- Nuc' x Vwe' 
E {c} Eve fw = t-E (A {x} > G-ext{l}{y}{y'} Gyy' Eve {x}) 


toE Gyy' L-intro fl = L-elim (above-funl f1) 
loE Gyy' (U-intro{v = vi}{w = v2} di dz) fvl12 
with above-fun? vi | above-fun? v2 
. | yes fvl | yes fv2 
with t-E Gyy' di fvl | IE Gyy' dz fv2 
|} ( ci, ( Muci , Wr ) ) | ( C2 , ( Muc2 , We ) ) 
rewrite u-determ Muc2 Muci = 


( ci , ( Mica , W-intro Vvi Wz ) ) 
toE Gyy' (U-introf{v = vi}{w = v2} di dz) fv12 | yes fvl | no nfv2 
with 1-E Gyy' di fvl 
| ( clos {F'} M' yi , ( Muca , Wi ) ) 
with V-WHNF Vvi 
... | A. {N=N} = 
let Vv2 = not-above-fun-V{v2}{F '}{yi}{N} nfv2 in 
{ clos (XN) yi , ( Muca , VU-intro Vvi Vv2 ) ) 
toE Gyy' (U-intro{v = vi}{w = v2} di dz) fv12 | no nfvl | yes fv2 
with t-E Gyy' d2 fv2 
| « clos {F'} M' yi , ( M'uc2 , V2c ) ) 
with V-WHNF V2c 
... | A. {N=N} = 
let V1c = not-above-fun-V{vi}{F '}{yi}{N} nfvl in 
{ clos (XN) yi , ( M'sc2 , WU-intro Vlc V2c ) ) 
JoE Gyy' (U-intro di dz) fvl2 | no nfvl_ | no nfv2 
with above-fun-U fv12 
... | inji fvl = contradiction fvl nfv1 
... | injz fv2 = contradiction fv2 nfv2 
toE {T} {vy} {y'} {M} {v'} Gyy' (sub{v = v} d v'ev) fv' 
with 1-E {7} {y} {y'} {M} Gyy' d (above-fun-c fv' v'cEv) 
|} (c, (Mic, W)) = 
( c , ( Muc , sub-V W v'Ev ) ) 


* Case var. Looking up x in y' yields some closure, clos 
M' 6, and from G y y' wehave E (y x) (clos M' 
6). With the premise above-fun (y x), we obtain a 
closure c such that 6 -| M' ! cand V (y x) c. To 
conclude y' F x t cvia J-var, we need y' x = 
clos M' 6, which is obvious, but it requires some Agda 
shananigans via the kth-x lemma to get our hands on it. 


* Case ~-elim. Wehave y F L - M 1 v. The induction 
hypothesis for y F L ! vi ~ v givesus y' FL Jv 
clos L' 6and V v (clos L' 6). Ofcourse, L' = A 
N for some N. By the induction hypothesis for y F M 1} 
vi, we have E vi (clos M y"'). Together with the 
premise above-fun vand V v (clos L' 6), we ob- 
tain a closure c' such that 6 F N ’ c'and Vv c'. 
We conclude that y' F L - Mt c' byrule J-app. 


* Case ~-intro.Wehave y-} AN sv w. We imme- 
diately have y' FH AM Jt clos (A M) y' byrule J- 
lam. But we also need to prove V (v * w) (clos (A 


N) y'). Let c by an arbitrary closure such that E v c. 
Suppose v' is greater than a function value. We need to 
show that y' , c F} N t c' and V v' c' for some 
c'. We prove this by the induction hypothesis for y , v 
- N | v' but we must first show that G (y , v) (y' 
, c). We prove that by the lemma G-ext, using facts G 
y y'and Evo. 


Case L-intro. We have the premise above-fun L, but 
that’s impossible. 


Case LU-intro. We have y F M | (wi U ve) and 
above-fun (v1 U v2) andneedtoshow y' FMic 
and V (vi U v2) c for some c. Again, by above- 
fun-U, at least one of vi or vz is greater than a function. 


© Suppose both vi and v2 are greater than a function 
value. By the induction hypotheses for y F M J vi 
and y F M 1 ve wehave y' FM Joa, V wi 
c1, y' F M LY co, and V v2 ce for some ci and 


c2. Because 1 is deterministic, we have cz = c1. 
Then by VU-intro we conclude that V (v1 U 
v2) C1. 


© Without loss of generality, suppose vi is greater 
than a function value but vz is not. By the induction 
hypotheses for y F M | vi, and using V-WHNF, 
we have y' F Mt clos (A N) yi and V vi 
(clos (A N) yi). Then because vz is not greater 
than a function, we also have V v2 (clos (A N) 
v1). We conclude that V (vi U v2) (clos (A 
N) v1). 


* Case sub. We have y F M J v, v' E v, and above- 
fun v'. We need to show that y' F M t cand V v' 
c for some c. We have above-fun v by above-fun- 
E, so the induction hypothesis for y F M ! v gives usa 
closure c such that y' -F M J cand V v c. Wecon- 
clude that V v' cby sub-V. 


Proof of denotational adequacy 


From the main lemma we can directly show that € M = & (A 
N) implies that M big-steps to a lambda, i.e, © / M JL clos 
(A N’) y. 


dou : VIM: OF we}{N 1 @,x Ex} - EMe= E ( 
> X[ T € Context ] 2[ N’ E€ (F , x Ex 
@' Mu clos (XN’) y 
tou {M}{N} eq 
with 1-E G-@ ((projz (eq “@ (1% L))) (»-intro L-intro)) 
(1, (1, G-refl ) ) 
- | { clos {f} My , ¢ Mec ; Ve) } 
with V->WHNF Vc 
. | XA _{N=N’} = 
(PF, (NN, (Cy, Mec) )) 


X[ y € ClosEnv 


The proof goes as follows. We derive © Ff AN | 1 Land 
then € M = & (A N) givesus @ F Mt L » L. We con- 
clude by applying the main lemma to obtain @ - M J clos 


(A N’) vy forsome N’ and y. 


Now to prove the adequacy property. We apply the above lemma 
to obtain @ F M L clos (A N’) y and then apply 
cbn-reduce to conclude. 


adequacy : V{M: @+ «}{N: 2 ,* Fk x} 
> &M=é (KN) 
»S[N € (eo, «FE x) ] 

(M—» XN’) 
adequacy{M}{N} eq 
with 14 eq 

- | (PF, CN, Cy, Me) ) ) = 

cbn-reduce My 


Call-by-name is equivalent to beta reduction 


As promised, we return to the question of whether call-by-name 
evaluation is equivalent to beta reduction. In chapter BigStep we 
established the forward direction: that if call-by-name produces a 
result, then the program beta reduces to a lambda abstraction 
(cbn>reduce). We now prove the backward direction of the if- 
and-only-if, leveraging our results about the denotational seman- 
tics. 


reduces-cbn : V {M:@r x} {N: @, * F x} 
>M—»AN 
~ Y[ A € Context ] X[ N’ EA, xk x ] Xf 6 E€ ClosEnv A ] 
"EM u clos (AX N’) 6 


@ 
reduce-cbn M—»AN = 134 (soundness M—»XAN) 


Suppose M —~ A N. Soundness of the denotational semantics 
givesus € M = & (A N). Then by 4-1 we conclude that ©' 
FM Jt clos (A N’) 6forsome N’ and 6. 


Putting the two directions of the if-and-only-if together, we es- 
tablish that call-by-name evaluation is equivalent to beta reduc- 
tion in the following sense. 


cbnereduce : V {M: @F x} 
~(X[_NEB,xEx ] (M—- XN)) 
OTT 
(Z[ A € Context ] X[ N’ EA, *« Ex ] Tf 6 € ClosEnv A 
@' +t Mus clos (X N’) 6) 
cbnereduce {M} = ( (A x > reduce-cbn ( 
( 


(A xX = cbn-reduce 


projz x)) , 
projz (projz (projz x)))) ) 


Unicode 


This chapter uses the following unicode: 


E U+1D53C MATHEMATICAL DOUBLE-STRUCK CAPITAL E 
(\bE) 
G U+1D53E MATHEMATICAL DOUBLE-STRUCK CAPITAL G 
(\bG) 
V  U+1D53E MATHEMATICAL DOUBLE-STRUCK CAPITAL V 
(\bV) 


ContextualEquivalence: Denotational 
equality implies contextual equivalence 


module plfa.part3.ContextualEquivalence where 


Imports 


open import Data.Product using (_x ; 2; -syntax; 4; d-syntax; proji 


renaming (_, to (_, )) 


open import plfa.part2.Untyped using (F ; x; @; ,;%; -») 


open import plfa.part2.BigStep using (+ 4 ; cbn-reduce) 


open import plfa.part3.Denotational using (&; = ; =-sym; =-trans; 


open import plfa.part3.Compositional using (Ctx; plug; compositional 


open import plfa.part3.Soundness using (soundness) 
open import plfa.part3.Adequacy using (1-1) 


Contextual Equivalence 


The notion of contextual equivalence is an important one for pro- 
gramming languages because it is the sufficient condition for 
changing a subterm of a program while maintaining the pro- 
gram’s overall behavior. Two terms M and N are contextually 
equivalent if they can plugged into any context c and produce 
equivalent results. As discuss in the Denotational chapter, the re- 
sult of a program in the lambda calculus is to terminate or not. 
We characterize termination with the reduction semantics as fol- 
lows. 


terminates : V{—T} - (M: T+ *) > Set 
terminates {Tf} M=X[ NE (F , *« Ex) ] (M— XN) 


So two terms are contextually equivalent if plugging them into 
the same context produces two programs that either terminate or 
diverge together. 


= : VII} - (MN: FF x) > Set 
(= {f} MN) =V {C: CtxT 9} 
> (terminates (plug C M)) iff (terminates (plug C N) 


The contextual equivalence of two terms is difficult to prove di- 
rectly based on the above definition because of the universal 
quantification of the context Cc. One of the main motivations for 
developing denotational semantics is to have an alternative way 
to prove contextual equivalence that instead only requires rea- 
soning about the two terms. 


Denotational equivalence implies contextual equiv- 
alence 


Thankfully, the proof that denotational equality implies contex- 
tual equivalence is an easy corollary of the results that we have 
already established. Furthermore, the two directions of the if- 
and-only-if are symmetric, so we can prove one lemma and then 
use it twice in the theorem. 


The lemma states that if Mand N are denotationally equal and if 
M plugged into Cc terminates, then so does N plugged into Cc. 


denot-equal-terminates : V{T} {MN : Fb «} {C : Ctx F o} 
~ €M=é&éN -3 terminates (plug C M) 


~ terminates (plug C N) 
denot-equal-terminates {[}{M}{N}{C} dMeéN ( N’ , CMAN’ ) = 
let &CM=éKN’ = soundness CM—»AN’ in 
let &CM=éCN = compositionality{f = F}{A = o}{C = C} MeN in 
let &CN=éXN’ = =-trans (=-sym &CM&éCN) &CM&éXN’ in 
cbn-reduce (proj2 (proj2 (proj2 (17u E&CN=éXN’ )))) 


The proof is direct. Because plug C —» plug C (A N’), we 
can apply soundness to obtain 


€ (plug C M) = &€ (A N’) 
From & M = & N, compositionality gives us 


€ (plug C M) = € (plug CN). 


Putting these two facts together gives us 

€ (plug CN) = &€ (A N’). 

We then apply 4! from Chapter Adequacy to deduce 
O@' | plug Cc NU clos (A N’') 6). 


Call-by-name evaluation implies reduction to a lambda abstrac- 
tion, so we conclude that 


terminates (plug C N). 


The main theorem follows by two applications of the lemma. 


denot-equal-contex-equal : V{—f} {MN : TF x} 
-~ €M=E€EN 
-MeEN 
denot-equal-contex-equal{l}{M}{N} eq {C} = 
( (A tm = denot-equal-terminates eq tm) , 
(A tn > denot-equal-terminates (=-sym eq) tn) ) 


Unicode 


This chapter uses the following unicode: 


= U+2245 APPROXIMATELY EQUAL TO (\~= or \cong) 


Appendix 


Substitution: Substitution in the un- 
typed lambda calculus 


module plfa.part2.Substitution where 


Introduction 


The primary purpose of this chapter is to prove that substitution 
commutes with itself. Barendgredt (1984) refers to this as the 
substitution lemma: 


M [x:=N] [y:=L] =™M [y:=L] [x:= N[y:=L] ] 


In our setting, with de Bruijn indices for variables, the statement 
of the lemma becomes: 


M[N] [L] = MC LJ[NEL] ] 
(substitution) 


where the notation M [( L J) is for substituting L for index 1 
inside M. In addition, because we define substitution in terms of 
parallel substitution, we have the following generalization, re- 
placing the substitution of L with an arbitrary parallel substitu- 
tion o. 


subst o (M [N ]) = (subst (exts o) M) [ subst o 
N ] (subst—commute) 


The special case for renamings is also useful. 


rename p (M [ N ]) = (rename (ext p) M) [ rename 
oN ] 


(rename-subst-—commute) 


The secondary purpose of this chapter is to define the o algebra 


of parallel substitution due to Abadi, Cardelli, Curien, and Levy 
(1991). The equations of this algebra not only help us prove the 
substitution lemma, but they are generally useful. Furthermore, 
when the equations are applied from left to right, they form a re- 
write system that decides whether any two substitutions are 
equal. 


Imports 


import Relation.Binary.PropositionalEquality as Eq 
open Eq using ( = ; refl; sym; cong; cong2; cong-app) 
open Eq.=-Reasoning using (begin ; =() ; step-=; #1) 
open import Function using ( ° ) 


open import plfa.part2.Untyped 
using (Type; Context; -; *} 3; 9; ,;Z;S5 3; 3%; 


rename; subst; ext; exts; [ ]; subst-zero) 


postulate 
extensionality : V {AB : Set} {f g : A = B} 
> (VW (x : A) = f x =g x) 
~f=g 
Notation 


We introduce the following shorthand for the type of a renaming 
from variables in context IT to variables in context A. 


Rename : Context > Context - Set 
Rename [T A = V{A} -F SASASBA 


Similarly, we introduce the following shorthand for the type of a 
substitution from variables in context I to terms in context A. 


Subst : Context - Context - Set 
Subst F A= V{A} -T JASAEFA 


We use the following more succinct notation for the subst 
function. 


(_) : V{F A A} > Subst PF ASPFRASAFA 
( o ) =AM- subst o M 


The o algebra of substitution 


A substitution maps de Bruijn indices (natural numbers) to terms, 
sO we can view a substitution simply as a sequence of terms, or 
more precisely, as an infinite sequence of terms. The o algebra 
consists of four operations for building such sequences: identity 
ids, shift t, cons M ¢ o, and sequencing o § t. The sequence 
0, 1, 2, ... is constructed by the identity substitution. 


ids : V{T} - Subst FF 


ids x =~ Xx 


The shift operation + constructs the sequence 


and is defined as follows. 


+ : VIF A} > Subst TF (FT , A) 
1x = ° (S x) 


Given a term ™M and substitution o, the operation M « o con- 
structs the sequence 


M, oO, ol, o 2, 
This operation is analogous to the cons operation of Lisp. 
infixr 6 ¢_ 

e : V{T A A} = (AF A) > Subst F A = Subst (T , A) A 


)Z=M 


Given two substitutions o and 1, the sequencing operation o $ 
t composes the two substitutions by first applying o and then 
applying +t. So it produces the sequence 


Kt)(o 0), «t)(o 1), «Kt)(o 2), 
Here is the definition. 
INTixr’ 3) 3 


_3_: V{F A x} > Subst f A = Subst AX > Subst F x 
Oo; tT=(tT)os 


For the sequencing operation, Abadi et al. use the notation of 
function composition, writing o ° t, but still with o applied 
before t, which is the opposite of standard mathematical prac- 
tice. We instead write o 8 t, because semicolon is the standard 
notation for forward function composition. 


The o algebra equations 


The o algebra includes the following equations. 


(sub-head) «(Meoy)(* Z) =M 
3 


(sub-tail) t Me o) =o 

(sub-n) (oe) ( 2) * 44-3 6) So 
(Z-shift) (~ Z) ¢ ft = ids 

(sub-id) « ids ) M =M 

(sub-app) «€o) (L-+M) = (Ko) L) +: Ko dp 
M) 

(sub-abs) « o ) (A N) =A€o)N 

(sub-sub) «t)€o)M =€ oS t PM 
(sub-idL) ids 30 =o 

(sub-idR) o § ids =o 

(sub-assoc) (0 $ tT) 3 9 =o8 (t 3 8) 
(sub-dist) (Meo) 38 t = (« t ) M) ¢ (co 8 t) 


The first group of equations describe how the « operator acts 
like cons. The equation sub-head says that the variable zero Z 
returns the head of the sequence (it acts like the car of Lisp). 
Similarly, sub-tail says that sequencing with shift + returns 
the tail of the sequence (it acts like cdr of Lisp). The sub-n 
equation is the n-expansion rule for sequences, saying that taking 


the head and tail of a sequence, and then cons’ing them together 
yields the original sequence. The Z-shift equation says that 
cons’ing zero onto the shifted sequence produces the identity se- 
quence. 


The next four equations involve applying substitutions to terms. 
The equation sub-id says that the identity substitution returns 
the term unchanged. The equations sub-app and sub-abs 
says that substitution is a congruence for the lambda calculus. 
The sub-sub equation says that the sequence operator 3 be- 
haves as intended. 


The last four equations concern the sequencing of substitutions. 
The first two equations, sub-idL and sub-idR, say that ids 
is the left and right unit of the sequencing operator. The sub- 
assoc equation says that sequencing is associative. Finally, 
sub-dist says that post-sequencing distributes through cons. 


Relating the o algebra and substitution functions 


The definitions of substitution N [ M ] and parallel substitu- 
tion subst o N depend on several auxiliary functions: 
rename, exts, ext, and subst-zero. We shall relate those 
functions to terms in the o algebra. 


To begin with, renaming can be expressed in terms of substitu- 
tion. We have 


rename 9 M= € reno )M (rename- 
subst-—ren) 


where ren turns a renaming op into a substitution by post-com- 
posing p with the identity substitution. 


ren : V{T A} + Rename F A - Subst T A 
ren p = ids ° 9 


When the renaming is the increment function, then it is equiva- 
lent to shift. 


ren S_=t (ren- 


shift) 


rename S M=€1)™M™M (rename- 
shift) 


Renaming with the identity renaming leaves the term un- 
changed. 


rename (A {A} x > x) M=M (rename- 
id) 


Next we relate the exts function to the o algebra. Recall that 
the exts function extends a substitution as follows: 


exts o = ° Z, rename S_ (o 0), rename S_ (o 1), 
rename S_ (0 2), 


So exts is equivalent to cons’ing Z onto the sequence formed by 
applying o and then shifting. 


exts o = ~*~ Ze (o 8 t) (exts- 
cons-shift) 


The ext function does the same job as exts but for renamings 
instead of substitutions. So composing ext with ren is the 
same as composing ren with exts. 


ren (ext 9) = exts (ren 0p) (ren-ext) 


Thus, we can recast the exts-cons-shift equation in terms 
of renamings. 


ren (ext 9p) =~ Ze (ren oe $8 ft) (ext-cons-— 
Z-shift) 


It is also useful to specialize the sub-sub equation of the o al- 
gebra to the situation where the first substitution is a renaming. 


« o ) (rename p M) = € oe p )M (rename- 
subst) 


The subst-zero M substitution is equivalent to cons’ing M 


onto the identity substitution. 


subst-zero M=M e ids (subst-Z- 
cons-—ids) 


Finally, sequencing exts o with subst-zero M is equivalent 
to cons’ing Monto o. 


° 


exts o 3 subst-zero M = (M ®& o) (subst-— 
zero-exts-—cons) 


Proofs of sub-head, sub-tail, sub-n, Z-shift, sub-idL, 
sub-dist, and sub-app 


We start with the proofs that are immediate from the definitions 
of the operators. 


sub-head : V {f A} {A} {M : A - A}{o : Subst F A} 
(Me*eo} (° Z) =M 
refl 


ot 


sub-head 


sub-tail : V{T A} {A B} {M : At A} {o : Subst T A} 
(t » Me o) {A= B} Zo 
sub-tail = extensionality A x - refl 


L 


sub-n : V{T A} {A B} {o : Subst (F , A) A} 
»(({o} ( Z)* (¥ ¢0)) {(A=B} eo 
sub-n { }{A}{A}{B}{o} = extensionality A x > lemma 
where 
lemma : V {x} - 
lemma {x = Z} = 
lemma {x = S x} 


((( 6) ( Z)) * (1 3 o)) xX FOX 
refl 


Z-shift : V{F}{A B} 
> ((° Z) « 1) = ids {f , A} {B} 
Z-shift {[}{A}{B} = extensionality lemma 
where 
lemma : (x :F ,A3 8B) - ((° Z) © t) x = ids x 
lemma Z = refl 
lemma (S y) = refl 


sub-idL : V{T A} {o : Subst TF A} {A} 
~ ids ; co =o {A} 
sub-idL = extensionality A x > refl 


sub-dist : V{f A xX : Context} {A B} {o : Subst TF A} {t : Subst A ¥} 
{M : AE A} 
> ((M* 6) 3 tT) = ((subst tM) © (0 3 t)) {B} 
sub-dist {[}{A}{2}{A}{B}{o}{t}{M} = extensionality A x > lemma {x 
where 
lemma : V {x :T , A 3 B} > ((M eo) 3 tT) X = ((Subst TM) ¢ (6 3 
lemma {x = Z} = refl 
lemma {x = S x} = refl 


sub-app : V{F A} {o : Subst T A} {L : T + x}{M: PT Fb x} 
-(o)(L-M) =(€o PL): (Ko) M) 
sub-app = refl 


Interlude: congruences 


In this section we establish congruence rules for the o algebra op- 
erators *« and § and for subst and its helper functions ext, 
rename, exts, and subst-—zero. These congruence rules help 
with the equational reasoning in the later sections of this chap- 
ter. 


p 


cong-ext : V{F A}{p p 
=p’ {A}) 


> (V{A} = p 
> V{A} > ext p {B = B} = ext p’ {A} 
cong-ext{l}{A}{p}{p’}{B} rr {A} = extensionality A x > lemma {x} 
where 
lemma : V{x : TF , B 3 A} >= ext p x = ext pf’ x 
lemma {Z} = refl 
lemma {S y} = cong S_ (cong-app rr y) 


cong-rename : V{T A}{p p’ : Rename T A}{B}{M : T + B} 
~ (V{A} += p =’ {A}) 
> rename p M = rename p’ M 
cong-rename {M = ~ x} rr = cong ~_ (cong-app rr x) 
cong-rename {p = p} {p’ = p’} {(M=AN} err = 
cong X_ (cong-rename {p = ext p}{p’ = ext p’}{M = N} (cong-ext rr 
cong-rename {M=L -: M} rr 


congz _:_ (cong-rename rr) (cong-rename rr) 


cong-exts : V{T A}{o o’ : Subst T A}{B} 
~ (V{A} > 6 = 0° {A}) 
~ V{A} = exts o {B = B} = exts o’ {A} 
cong-exts{f }{A}{o}{o’'}{B} ss {A} = extensionality A x > lemma {x} 
where 
lemma : V{x} > exts o x = exts 0’ x 
lemma {Z} = refl 
lemma {S x} = cong (rename S_) (cong-app (ss {A}) x) 


cong-sub : V{F A}{o o’ : Subst T A}{A}{MM’ : T + A} 
> (V{A} = 6 =o’ {A}) - MEM’ 
> subst o M = subst o’ M’ 
cong-sub {f} {A} {o} {o’} {A} {> x} ss refl 
cong-sub {f} {A} {o} {o’'} {A} {X M} ss refl 
cong X_ (cong-sub {o = exts o}{o’ = exts o’} {M = M} (cong-exts s 
cong-sub {f} {A} {o} {o’} {A} {L : M} ss refl = 
congz _:_ (cong-sub {M = L} ss refl) (cong-sub {M = M} ss refl) 


cong-app ss x 


vr ill 


cong-sub-zero : V{T}{B : Type}{M M’ : TF - B} 

->M=WM 

~ V{A} > subst-zero M = (subst-zero M’) {A} 
cong-sub-zero {[}{B}{M}{M’} mm' {A} = 

extensionality A x > cong (A z = subst-zero z x) mm' 


cong-cons : V{T A}{A}{MN : At A}{o t : Subst F A} 
~M=EN 3 (V{A} > o {A} = Tt {A}) 
~ V{A} > (M * 6) {A} = (N © Tt) {A} 
cong-cons{f }{A}{A}{M}{N}{o}{t} refl st {A’} = extensionality lemma 
where 
lemma : (x :T , A323 A’) > (Me o) xX = (Me T) x 
lemma Z = refl 
lemma (S x) = cong-app st x 


cong-seq : V{F A 2}{o o’ : Subst F A}{t t’ : Subst A x} 
~ (W{A} + 0 {A} = 0” {A}) > (W{A} > t {A} = tv’ {A}) 
~ V{A} = (0 3 Tt) {A} = (0" 5 tT’) {A} 

cong-seq {f }{A}{Z}{o}{o’}{t}{t’} ss' tt' {A} = extensionality lemma 
where 


subst T (6 x) 

=( cong (subst t) (cong-app ss' x) ) 
subst T (0’ x) 

=( cong-sub{M = o’ x} tt' refl ) 
subst t’ (0° x) 


Relating rename, exts, ext, and subst-—zero to 
the o algebra 


In this section we establish equations that relate subst and its 
helper functions (rename, exts, ext, and subst-zero) to 
terms in the o algebra. 


The first equation we prove is 


rename p M = € ren p ) M (rename- 
subst-ren) 


Because subst uses the exts function, we need the following 
lemma which says that exts and ext do the same thing except 
that ext works on renamings and exts works on substitutions. 


ren-ext : V {f A}{B C : Type} {p : Rename T A} 
> ren (ext p {B = B}) = exts (ren p) {C} 
ren-ext {f}{A}{B}{C}{p} = extensionality A x > lemma {x = x} 
where 
lemma : V {x :T , B 5 C} - (ren (ext p)) x = exts (ren p) 
lemma {x = Z} = refl 
lemma {x = S x} = refl 


With this lemma in hand, the proof is a straightforward induc- 
tion on the term M. 


rename-subst-ren : V {f A}{A} {p : Rename T A}{M : T + A} 
+ rename p M= ( renp))™ 


34 
p}{M 


rename-subst-ren {M 
rename-subst-ren {p 
begin 
rename p (X N) 
={) 
K rename (ext p) N 
=( cong X_ (rename-subst-ren {p = ext p}{M = N}) ) 
K ( ren (ext p) ) N 
=( cong X_ (cong-sub {M = N} ren-ext refl) } 
K ( exts (renp) }) N 


ol 
s 
(0) 
hh 
cc 


ll 
a 
~ 


( ren p )) (XN) 
a 
rename-subst-ren {M =L + M} = cong2 _:_ rename-subst-ren rename-suk 


The substitution ren S_ is equivalent to 1. 


ren-shift : V{l}{A}{B} 
>renS =tT {A = B} {A} 
ren-shift {[}{A}{B} = extensionality A x > lemma {x = x} 
where 
lemma : V {x : T 3 A} > ren (S {B = B}) x = 1 {A = B} x 
lemma {x = Z} = refl 
lemma {x = S x} = refl 


The substitution rename S_ Mis equivalent to shifting: « + ) 
M. 


rename-shift : V{T} {A} {B} {M: TF + A} 
> rename (S {B = B})M=( 1} M 
rename-shift{l}{A}{B}{M} = 
begin 
rename S_M 
=( rename-subst-ren ) 
{ ren S ))M 
=( cong-sub{M = M} ren-shift refl ) 
( + )M 
| 


Next we prove the equation exts-cons-shift, which states 
that exts is equivalent to cons’ing Z onto the sequence formed 
by applying o and then shifting. The proof is by case analysis on 
the variable x, using rename-subst-ren for when x = § y. 


exts-cons-shift : V{T A} {A B} {o : Subst TF A} 
~ exts o {A} {B} = (° Z* (6 3 1)) 
exts-cons-shift = extensionality A x > lemma{x = x} 
where 
lemma : V{T A} {A B} {o : Subst T A} {x : TF , B35 A} 
> extsox=(° Ze (063 t)) x 
} refl 


lemma {x = 
y} = rename-subst-ren 


lemma {x 


Z 
S 


As a corollary, we have a similar correspondence for ren (ext 
p). 


ext-cons-Z-shift : V{F A} {p : Rename F A}{A}{B} 
> ren (ext p {B = B}) = (° Z® (renp ¢; 1t)) {A} 
ext-cons-Z-shift {[}{A}{p}{A}{B} = 
begin 
ren (ext p) 
=( ren-ext ) 
exts (ren p) 
=( exts-cons-shift{o = ren p} ) 
((- Z):* Pen p 3°) 


Finally, the subst-zero M _ substitution is equivalent to 
cons’ing M onto the identity substitution. 


subst-Z-cons-ids : V{T}{A B : Type}{M : T - B} 
~ subst-zero M = (M « ids) {A} 
subst-Z-cons-ids = extensionality A x > lemma {x = x} 
where 
lemma : V{T}{A B : Type}{M :T + B}{x : FT , B 5 A} 
~ subst-zero M x = (M « ids) x 
lemma {x 
lemma {x 


Proofs of sub-abs, sub-id, and rename-id 


The equation sub-abs follows immediately from the equation 
exts-—cons-shift. 


sub-abs : V{T A} {o : Subst F A} {N: TF ,*F 
> 0) (KN) =X ( Z) * (63 1) 
sub-abs {o = o}{N = N} = 


K ( exts o )) N 

=( cong X_ (cong-sub{M = N} exts-cons-shift refl) ) 
AG (" Z) * (o-3 ft) YN 

| 


The proof of sub-id requires the following lemma which says 
that extending the identity substitution produces the identity 
substitution. 


exts-ids : V{T}{A B} 
~ exts ids = ids {f , B} {A} 
exts-ids {[}{A}{B} = extensionality lemma 
where lemma : (x :T , B 3 A) > exts ids x = ids x 
lemma Z = refl 
) = 


lemma (S x refl 


The proof of « ids ) M = M now follows easily by induction 
on M, using exts-—ids in the case for M = A N. 


sub-id : V{T} {A} {M : i A} 

> ( ids )M 

sub-id {M = ~ x} 

sub-id {M = X N} 
begin 

( ids }) (A N) 


4 


— 


K ( exts ids }) N 
=( cong X_ (cong-sub{M = N} exts-ids refl) ) 


K ( ids )) N 
=( cong X_ sub-id ) 
KN 
| 
sub-id {M = L - M} = cong2 _:_ sub-id sub-id 


The rename-id equation is a corollary is sub-id. 


rename-id : V {T}{A} {M :T + A} 
> rename (A {A} x > x) M=M 
rename-id {M = M} = 
begin 
rename (A {A} x > x) M 


=( rename-subst-ren  ) 
( ren (A {A} x = x) }) M 


Proof of sub-idR 
The proof of sub-idR follows directly from sub-id. 


sub-idR : V{T A} {o : Subst F A} {A} 
> (o ; ids) =o {A} 
sub-idR {[}{o = o}{A} = 
begin 


( ids }} oo 
{ extensionality (A x - sub-id) ) 
) 


Proof of sub-sub 
The sub-sub equation states that sequenced substitutions o 3 
t are equivalent to first applying o then applying t. 


(td) @odM =€ oF tM 


The proof requires several lemmas. First, we need to prove the 
specialization for renaming. 


rename op (rename o’ M) = rename (9 ° pp’) M 


This in turn requires the following lemma about ext. 


compose-ext : V{f A Z2}{p : Rename A x} {p’ : Rename T A} {A B} 
> ((ext p) ° (ext p’)) = ext (p © p’) {B} {A} 
compose-ext = extensionality A x > lemma {x = x} 
where 
lemma : V{f A X}{p : Rename A 2} {p’ : Rename T A} {A B} {x : T , 
> ((ext p) ° (ext p’)) x = ext (p ° p’) x 


lemma {x 
lemma {x 


To prove that composing renamings is equivalent to applying one 
after the other using rename, we proceed by induction on the 
term M, using the compose-ext lemma in the case for M = A 
N. 


compose-rename : V{T A X}{A}{M : T + A}{p : Rename A X}{p’ : Rename 
> rename p (rename p’ M) = rename (p © p’) M 


compose-rename {M = ~ x} = refl 
compose-rename {[}{A}{Z}{A}{X N}{p}{p’} = cong X_G 
where 


G : rename (ext p) (rename (ext p’) N) = rename (ext (p o p’)) N 
G= 
begin 
rename (ext p) (rename (ext p’) N) 
=( compose-rename{p = ext p}{p’ = ext p’} ) 
rename ((ext p) ° (ext p’)) N 
=( cong-rename compose-ext ) 
rename (ext (p ° p’)) N 


compose-rename {M = L + M} = cong2 _:_ compose-rename compose-rename 


The next lemma states that if a renaming and substitution com- 
mute on variables, then they also commute on terms. We explain 
the proof in detail below. 


commute-subst-rename : V{T A}{M : TF -F x}{o : Subst F A} 
{p : V{f} + Rename FT (TF , «)} 

> (V{x : F 3 «} > exts o {B = x} (p x) = rename p (o x)) 

> subst (exts o {B = x}) (rename p M) = rename p (subst o M) 
commute-subst-rename {M= * x} r=r 
commute-subst-rename{l }{A}{X N}{o}{p} r = 

cong X_ (commute-subst-rename{f , x}{A , x}{N} 
{exts o}{p = p’} (A {x} > H {x})) 


where 

p’ : V {fT} = Rename TF (FT , x) 
p’ {2} =A () 

p’ {f , x} = ext p 


H: {x :T ,* 3 «*} > exts (exts o) (ext p x) = rename (ext p) (é 
refl 


begin 

exts (exts o) (ext p (S y)) 
=() 

rename S_ (exts o (p y)) 
=( cong (rename S ) r ) 

rename S_ (rename p (0 y)) 
=( compose-rename ) 

rename (S_ © p) (0 y) 
=( cong-rename refl ) 

rename ((ext p) ° S_) (6 y) 
=( sym compose-rename ) 

rename (ext p) (rename S_ (o y)) 
= 

rename (ext p) (exts o (S y)) 
| 


commute-subst-rename {M=L - M}{p = p} r 
congz _-_ (commute-subst-rename{M = Litp = p} r) 
(commute-subst-rename{M = M}{p = p} r) 


The proof is by induction on the term ™M. 
* If Misa variable, then we use the premise to conclude. 


- If M = A _N, we conclude using the induction hypothesis 
for N. However, to use the induction hypothesis, we must 
show that 


exts (exts o) (ext op x) = rename (ext 0) 
(exts oO xX) 


We prove this equation by cases on x. 
© If x = Z, the two sides are equal by definition. 


O If x = Sy, we obtain the goal by the following 
equational reasoning. 


exts (exts o) (ext p (S y)) 

rename S_ (exts o (p y)) 

rename S_ (rename S_ (oO (p y) 
by the premise) 

rename (ext oe) (exts o (S y)) 
by compose-rename) 

rename ((ext 9) ° S_) (o y) 


Ih —~ oil Soll 


= rename (ext o) (rename S_ (o y)) 
(by compose-rename) 
= rename (ext 0) 


* If Mis an application, we obtain the goal using the induc- 


(exts o (S y)) 


tion hypothesis for each subterm. 


The last lemma needed to prove sub-sub states that the exts 


function distributes with sequencing. It is a corollary of 


commute-subst-—rename as described below. (It would have 


been nicer to prove this directly by equational reasoning in the o 


algebra, but that would require the sub-assoc equation, whose 
proof depends on sub-sub, which in turn depends on this 


lemma.) 


exts-seq : V{T A A’} {o1 : Subst T A} {o2 : Subst A A’} 


> V {A} - (exts 61 ; exts 62) {A} = exts (61 3; 62) 


exts-seq = extensionality A x > lemma {x = x} 


where 


lemma : V{T A A’ }{A}{x : F , * 3 A} {01 : Subst F A}{o2 


> (exts 61 ; exts O2) x 
lemma {x = Z} = refl 


exts (61 3; 62) X 


lemma {A : x}{x = S x}{o1}{o2} = 


(exts G1 3 exts G2) (S x) 


( exts o2 }) (rename S_ (01 x)) 


rename S_ (( 62 }) (61 Xx)) 


rename S_ ((61 3 62) X) 


The proof proceed by cases on x. 


: Subst A 


{ commute-subst-rename{M = o1 x}{o = o2}{p = S } refl ) 


* If x = Z, the two sides are equal by the definition of 


exts and sequencing. 


- If x = S x, we unfold the first use of exts and sequenc- 
ing, then apply the lemma commute-subst-rename. We 
conclude by the definition of sequencing. 


Now we come to the proof of sub-sub, which we explain be- 


low. 


sub-sub : V{T A X}{A}{M : FT F A} {o1 : Subst F A}{o2 : Subst A x} 
> ( 62 )) ({ o1 )) M) = ( o1 3 o2 ) M 
sub-sub {M = ~ x} = refl 
sub-sub {C }{A}{2}{A}{X N}{oi}{o2} = 
begin 
( o2 }) (( o1 }) (A N)) 


K ( exts o2 }) (( exts o1 }) N) 
=( cong X_ (sub-sub{M = N}{o1 = exts oi}{o2 = exts o2}) ) 
K ( exts o1 3 exts o2 )) N 
=( cong X_ (cong-sub{M = N} (A {A} - exts-seq) refl) ) 
K ( exts ( 61 3 G2) )) N 
| 
sub-sub {M =L - M} = congz «_ (Sub-sub{M = L}) (sub-sub{M = M}) 


We proceed by induction on the term ™M. 
* If M = x, then both sides are equal to 02 (01 x). 


- If M = A N, we first use the induction hypothesis to show 
that 


A € exts o2 ) (€ exts o1 ) N) =A € exts of 


° 


8 exts o2 ) N 
and then use the lemma exts-—seg to show 


A € exts o1 § exts ono )N=A ( exts ( 1 3 
o2) ) N 


* If Mis an application, we use the induction hypothesis for 
both subterms. 


The following corollary of sub-sub specializes the first substi- 
tution to a renaming. 


rename-subst : V{T A A’}{M : PF + «}{p : Rename T A}{o : Subst A A’} 
> (6 )) (rename pM) =(€ o°ep)M 
rename-subst {[}{A}{A’}{M}{p}{o} = 
begin 
( o }) (rename p M) 
=( cong « o }) (rename-subst-ren{M = M}) ) 


( o }) (€ ren p }) M) 
=( sub-sub{M = M} }) 

( renp;o)M 
={} 
(o°p)M 


= 


Proof of sub-assoc 


The proof of sub-assoc follows directly from sub-sub and 
the definition of sequencing. 


sub-assoc : V{Tf A XW : Context} {o : Subst F A} {t : Subst A x} 


{98 : Subst x V} 


~ V{A} = (0 3 T) 3 8 = (o 8) {A} 
sub-assoc {[}{A}{Z}{VY}{o}{t}{O} {A} = ony ee ee A xX > lemma{x = 
where 
lemma : V {x : T 3 A} = ((6 : T) 3 8) X= (O63 T 3 OB) x 
lemma {x} = 
begin 


((o 3 tT) 3; 8) x 
={) 

«( 8) (€ t } (oO x)) 
=( sub-sub{M = o x} ) 

( t 3 8 }) (6 x) 
={) 

(Oo 3 1 3 0) x 
| 


Proof of subst-zero-exts-cons 


The last equation we needed to prove subst-zero-exts- 
cons was sub-assoc, so we can now go ahead with its proof. 
We simply apply the equations for exts and subst-zero and 
then apply the o algebra equation to arrive at the normal form M 
* 0. 


subst-zero-exts-cons : V{fT A}{o : Subst F A}{B}{M : A + B}{A} 
> exts o ; subst-zero M = (Me o) {A} 
subst-zero-exts-cons {[}{A}{o}{B}{M}{A} = 
begin 
exts o ; subst-zero M 
=( cong-seq exts-cons-shift subst-Z-cons-ids ) 


(* Z* (Oo 3 t)) 3 (Me ids) 
=( sub-dist } 
(4 M = dds } (" Z)) = ((o ¢ f) @ (M = ads)) 
=( cong-cons (sub-head{o = ids}) refl ) 
Ms ((o 3 t) 3 (M ® ids)) 
=( cong-cons refl (sub-assoc{o = o}) ) 
Me (o 9 (t 9 (M = dds))) 
=( cong-cons refl (cong-seq{o = o} refl (sub-tail{M = M}{o = ids 
Me (o : ids) 
=( cong-cons refl (sub-idR{o = o}) ) 
Meo 
| 


Proof of the substitution lemma 


We first prove the generalized form of the substitution lemma, 
showing that a substitution o commutes with the substitution of 
Minto N. 


€ extso)N[€o)M]=€0) (N[M]) 


This proof is where the o algebra pays off. The proof is by direct 
equational reasoning. Starting with the left-hand side, we apply o 
algebra equations, oriented left-to-right, until we arrive at the 
normal form 


«(«€{o)Meo)N 


We then do the same with the right-hand side, arriving at the 
same normal form. 


subst-commute : V{T A}{N: F , 
> extso}N[(o)M] 
subst-commute {C}{A}{N}{M}{o} = 
begin 
( extso)N[ @(o)M] 


x}{o : Subst F A } 
]) 


( subst-zero (( o }) M) )) (( exts o }) N) 

=( cong-sub {M = ( exts o )) N} subst-Z-cons-ids refl ) 
( ( 6) Me ids }) (( exts o }) N) 

=( sub-sub {M = N} 
( (exts o) ; (( 

=( cong-sub S = 
{( Ze loe 4 


) 

( 6 )) M) ¢ ids) )) N 

N} (cong-seq exts-cons-shift refl) refl ) 
)) 3 (€ 6 ) Me ids) } N 


=( cong-sub {M = N} (sub-dist {M = ~ Z}) refl ) 
(«€ @€ 6) Me ids ) (* Z) © ((o 5 t) 3 (C6) M® ids)) )) N 


(o) Me ((o 5 t) ; (46 ) Me ids)) ) N 

=( cong-sub{M = N} (cong-cons refl (sub-assoc{o = o})) refl } 
(@€o)Me (os t 3 (06) Me ids) )) N 

=( cong-sub{M = N} refl refl ) 
«( {6 }) Me (o ; ids) )) N 

=( cong-sub{M = N} (cong-cons refl (sub-idR{o = o})) refl ) 
((o)Meo})N 

=( cong-sub{M = N} (cong-cons refl (sub-idL{o = o})) refl ) 
( (6) Me (ids ; 6) ) N 

=( cong-sub{M = N} (sym sub-dist) refl ) 
( Me ids ; 06 }) N 

=( sym (Ssub-sub{M = N}) ) 
«( o }) (( Me ids )) N) 

=( cong ( o )) (sym (cong-sub{M = N} subst-Z-cons-ids refl)) ) 
( o }) (N[ M ]) 

a 


A corollary of subst-—commute is that rename also commutes 
with substitution. In the proof below, we first exchange rename 
o for the substitution « ren p ), and apply subst-commute, 
and then convert back to rename op. 


x}{M : FF «}{p : Rename [ 
rename p (N [ M ]) 


rename-subst-commute : V{T A}{N :T , x 
> (rename (ext p) N) [ rename p M ] 
rename-subst-commute {F}{A}{N}{M}{p} = 
begin 
(rename (ext p) N) [ rename p M J 
=( cong-sub (cong-sub-zero (rename-subst-ren{M = M})) 
(rename-subst-ren{M = N}) ) 
({ ren (ext p) }) N) [ ( ren p })M ] 
=( cong-sub refl (cong-sub{M = N} ren-ext refl) ) 
(({ exts (ren p) )) N) [ ( renp )™M ] 
=( subst-commute{N = N} ) 
subst (ren p) (N [ M ]) 
=( sym (rename-subst-ren) ) 
rename p (N [ M ]) 
a 


WoT 


To present the substitution lemma, we introduce the following 
notation for substituting a term M for index 1 within term N. 


CJ): V {ABC} 


o>F,B,CEA 
>T EB 
oF ,CkA 


_C.) {7} {A} {B} {C} NM = 
subst {Tf , B , C} {f , C} (exts (subst-zero M)) {A} N 


The substitution lemma is stated as follows and proved as a 
corollary of the subst-commute lemma. 


substitution : V{T}{M: TF , * , « ER we}{N : T , « E we}{L : FF x} 
>(M[~N]) [TL] =(MCLI)) E (NEL ]) J 

substitution{M = M}{N = N}{L = L} = 
sym (subst-commute{N = M}{M = N}{o = subst-zero L}) 


Notes 


Most of the properties and proofs in this file are based on the pa- 
per Autosubst: Reasoning with de Bruijn Terms and Parallel Substitu- 
tion by Schafer, Tebbi, and Smolka (ITP 2015). That paper, in 
turn, is based on the paper of Abadi, Cardelli, Curien, and Levy 
(1991) that defines the o algebra. 
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